it's a php flaw and not a ubb flaw. ( from what i've gathered )
if your host is running php as a CGI, then there is a known exploit to any php that can be temporarily fixed with .htaccess change..
http://www.php.net/archive/2012.php#id2012-05-03-1To fix this, update to PHP 5.3.12 or PHP 5.4.2.
We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP.
An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:
( mod_rewrite must be enabled - usually is - add to .htaccess )
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]can you run phpinfo ( from your cpanel and verify ? )
ty
