CVE-2006-3336 Information

Description

TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as .php.en\ .php.1\ and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory.

Reference

http://secunia.com/advisories/20992 http://securitytracker.com/id?1016458 http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads http://www.securityfocus.com/bid/18854 http://www.vupen.com/english/advisories/2006/2677