CVE-2006-2406

Unclassified NewsBoard < 1.5.3d - Directory Traversal via design_path Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-2406. PoCs published by rgod.

AI-analyzed exploit summary This exploit leverages a local file inclusion vulnerability in Unclassified NewsBoard <= 1.6.1 patch 1 due to improper initialization of the $ABBC['Config']['smileset'] variable. It uploads a malicious avatar containing PHP code to achieve remote command execution.

Description

Directory traversal vulnerability in bb_lib/abbc.css.php in Unclassified NewsBoard (UNB) 1.5.3-d and possibly earlier versions, when register_globals is enabled, allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing null byte (%00) in the design_path parameter. NOTE: this is closely related, but a different vulnerability than the ABBC[Config][smileset] parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by rgod · phpwebappsphp
https://www.exploit-db.com/exploits/1777

This exploit leverages a local file inclusion vulnerability in Unclassified NewsBoard <= 1.6.1 patch 1 due to improper initialization of the $ABBC['Config']['smileset'] variable. It uploads a malicious avatar containing PHP code to achieve remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unclassified NewsBoard <= 1.6.1 patch 1
Auth required
Prerequisites: register_globals = On · magic_quotes_gpc = Off · valid user account for file upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources mailing-list x_refsource_vim
http://attrition.org/pipermail/vim/2006-May/000769.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25494

Scores

EPSS 0.0231
EPSS Percentile 81.1%

Details

Status published
Products (1)
unclassified_newsboard/unclassified_newsboard < 1.5.3d
Published May 16, 2006
Tracked Since Feb 18, 2026