CVE

Id
18434  
CVE No.
CVE-2006-2330  
Status
Candidate  
Description
PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.  
Phase
Assigned (20060511)  
Votes
None (candidate not yet proposed)  
Comments
 

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
160113 18434 CVE-2006-2330 BUGTRAQ:20060508 PHPFusion <= v6.00.306 avatar mod_mime arbitrary file upload & local inclusion vulnerabilities  View
160114 18434 CVE-2006-2330 URL:http://www.securityfocus.com/archive/1/archive/1/433277/100/0/threaded  View
160115 18434 CVE-2006-2330 CONFIRM:http://www.php-fusion.co.uk/news.php  View
160116 18434 CVE-2006-2330 BID:17898  View
160117 18434 CVE-2006-2330 URL:http://www.securityfocus.com/bid/17898  View
160118 18434 CVE-2006-2330 VUPEN:ADV-2006-1735  View
160119 18434 CVE-2006-2330 URL:http://www.vupen.com/english/advisories/2006/1735  View
160120 18434 CVE-2006-2330 OSVDB:25537  View
160121 18434 CVE-2006-2330 URL:http://www.osvdb.org/25537  View
160122 18434 CVE-2006-2330 SECUNIA:19992  View
160123 18434 CVE-2006-2330 URL:http://secunia.com/advisories/19992  View
160124 18434 CVE-2006-2330 SREASON:873  View
160125 18434 CVE-2006-2330 URL:http://securityreason.com/securityalert/873  View
160126 18434 CVE-2006-2330 XF:phpfusion-avatar-extensions-code-execution(26388)  View

Related JVN