UltraBoard 1.6 (and possibly all 1.x versions) is vulnerable to a directory traversal attack that will allow any remote browser to download any file that the webserver has read access to. On Windows instalations, the file must reside on the same logical drive as the webroot. In all cases, the filename and relative path from the webroot must be known to the attacker.
This is accomplished through a combination of the '../' string and the usage of a null byte (x00) in the variables passed to the UltraBoard CGI.
UltraBoard contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the "UltraBoard.pl" not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "Post" variable.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.