| VID |
21874 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The FCKeditor addon for CubeCart is vulnerable to an arbitrary file upload vulnerability. CubeCart is an ecommerce script that is written in PHP and MySQL. FCKeditor is an HTML text editor written by PHP. CubeCart versions prior to 3.0.10 could allow a remote attacker to upload arbitrary files, caused by a vulnerability in the connector.php script in the FCKeditor addon. By sending a specially-crafted URL request to the connector.php script, a remote attacker could exploit this vulnerability to upload arbitrary PHP files and execute arbitrary commands on the affected host.
* References:
http://www.securityfocus.com/archive/1/425931
http://www.cubecart.com/site/forums/index.php?showtopic=17335
http://www.cubecart.com/site/forums/index.php?showtopic=17338
* Platforms Affected:
CubeCart versions prior to 3.0.10
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of CubeCart (3.0.10 or later), available from the CubeCart Web site at http://www.cubecart.com/site/home/ |
| Related URL |
CVE-2006-0922 (CVE) |
| Related URL |
16796 (SecurityFocus) |
| Related URL |
24883 (ISS) |
|
