| VID |
21518 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The paFileDB, according to its version number, has an arbitrary file upload and execution vulnerability. paFileDB is a Web-based file download management program developed by PHP Arena that uses a MySQL database. paFileDB versions 3.1 and earlier can allow a remote attacker to upload malicious files to the server. After a file has been uploaded, it may also be possible for the attacker to execute the file remotely.
* Note: This check solely relied on the version number of the paFileDB program installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-01/0342.html
http://marc.theaimsgroup.com/?l=bugtraq&m=110720365923818&w=2
* Platforms Affected:
PHP Arena, paFileDB versions 3.1 and earlier
Linux Any version
Microsoft Windows Any version
Unix Any version |
| Recommendation |
This problem has been fixed in a second release of paFileDB version 3.1. Please note, the vendor has intentionally not incremented the version number. This was done to prevent attackers from easily identifying unpatched systems. Upgrade to this version of paFileDB, available from the PHP Arena Download Web site at http://www.phparena.net/downloads/pafiledb.php?action=file&id=16
-- OR --
Apply the appropriate patch for your system, available from the PHP Arena Support Web site at http://forums.phparena.net/index.php?act=ST&f=26&t=2170 |
| Related URL |
(CVE) |
| Related URL |
8271 (SecurityFocus) |
| Related URL |
12717 (ISS) |
|
