CVE-2006-2330 Information

Feb 14, 2021 cve

Description

PHP-Fusion 6.00.306 and earlier running under Apache HTTP Server 1.3.27 and PHP 4.3.3 allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif which bypasses the validation as demonstrated by uploading then executing an avatar file that ends in .php.gif\ and contains PHP code in EXIF metadata.

Reference

http://secunia.com/advisories/19992 http://securityreason.com/securityalert/873 http://www.osvdb.org/25537 http://www.php-fusion.co.uk/news.php http://www.securityfocus.com/archive/1/433277/100/0/threaded http://www.securityfocus.com/bid/17898 http://www.vupen.com/english/advisories/2006/1735 https://exchange.xforce.ibmcloud.com/vulnerabilities/26388

Share on: