| VID |
21620 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The e107 Website System, according to its version number, has a file upload vulnerability in the images.php script. e107 is a freely available, Web content management system written in PHP. e107 version 0.616 and earlier versions could allow a remote attacker to upload arbitrary files on the affected host. The problem is that images with arbitrary file extensions can be uploaded via the Image Manager in "images.php" script. This can be exploited to upload malicious script files (e.g. PHP scripts) inside the web root. A remote attacker could exploit this vulnerability by uploading malicious PHP files to execute arbitrary code in the context of the Web server.
* Note: This check solely relied on the version number of e107 installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://e107.org/comment.php?comment.news.672
http://securitytracker.com/alerts/2004/Dec/1012657.html
http://secunia.com/advisories/13657/
* Platforms Affected:
e107 version 0.616 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of e107 (0.617 or later), available from the e107 Web page at http://www.e107.org |
| Related URL |
CVE-2004-2262 (CVE) |
| Related URL |
12111 (SecurityFocus) |
| Related URL |
18670 (ISS) |
|
