Vulnerabilities > CVE-2005-2781 - Unspecified vulnerability in Ilia Alshanetsky Fudforum

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

ilia-alshanetsky

nessus

NVD

Published: 2005-09-02

Updated: 2018-10-19

Summary

The Avatar upload feature in FUD Forum before 2.7.0 does not properly verify uploaded files, which allows remote attackers to execute arbitrary PHP code via a file with a .php extension that contains image data followed by PHP code.

Vulnerable Configurations

Part	Description	Count
Application	Ilia_Alshanetsky Ilia Alshanetsky Fudforum 2.1.0 Ilia Alshanetsky Fudforum 2.1.1 Ilia Alshanetsky Fudforum 2.1.2 Ilia Alshanetsky Fudforum 2.1.3 Ilia Alshanetsky Fudforum 2.2.0 Ilia Alshanetsky Fudforum 2.2.1 Ilia Alshanetsky Fudforum 2.2.2 Ilia Alshanetsky Fudforum 2.2.3 Ilia Alshanetsky Fudforum 2.2.4 Ilia Alshanetsky Fudforum 2.2.5 Ilia Alshanetsky Fudforum 2.3.0 Ilia Alshanetsky Fudforum 2.3.1 Ilia Alshanetsky Fudforum 2.3.2 Ilia Alshanetsky Fudforum 2.3.3 Ilia Alshanetsky Fudforum 2.3.4 Ilia Alshanetsky Fudforum 2.3.5 Ilia Alshanetsky Fudforum 2.3.6 Ilia Alshanetsky Fudforum 2.3.7 Ilia Alshanetsky Fudforum 2.3.8 Ilia Alshanetsky Fudforum 2.5.0 Ilia Alshanetsky Fudforum 2.5.1 Ilia Alshanetsky Fudforum 2.5.2 Ilia Alshanetsky Fudforum 2.6.0 Ilia Alshanetsky Fudforum 2.6.1 Ilia Alshanetsky Fudforum 2.6.2 Ilia Alshanetsky Fudforum 2.6.3 Ilia Alshanetsky Fudforum 2.6.4 Ilia Alshanetsky Fudforum 2.6.5 Ilia Alshanetsky Fudforum 2.6.6 Ilia Alshanetsky Fudforum 2.6.7 Ilia Alshanetsky Fudforum 2.6.8 Ilia Alshanetsky Fudforum 2.6.9 Ilia Alshanetsky Fudforum 2.6.10 Ilia Alshanetsky Fudforum 2.6.11 Ilia Alshanetsky Fudforum 2.6.12 Ilia Alshanetsky Fudforum 2.6.13 Ilia Alshanetsky Fudforum 2.6.14 Ilia Alshanetsky Fudforum 2.6.15 Ilia Alshanetsky Fudforum 2.7.0	39

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1063.NASL
description	It was discovered that the Avatar upload feature of FUD Forum, a component of the web-based groupware system phpgroupware, does not sufficiently validate uploaded files, which might lead to the execution of injected web script code.
last seen	2020-06-01
modified	2020-06-02
plugin id	22605
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22605
title	Debian DSA-1063-1 : phpgroupware - missing input sanitising

NASL family	CGI abuses
NASL id	FUDFORUM_AVATAR_UPLOAD.NASL
description	The remote host is running FUDforum, an open source web forum written in PHP. According to its banner, the version of FUDforum installed on the remote host may allow an authenticated attacker to upload a file with arbitrary PHP code as an avatar image and later run that code subject to the privileges of the web server user id.
last seen	2020-06-01
modified	2020-06-02
plugin id	19520
published	2005-08-29
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19520
title	FUDforum < 2.7.1 Avatar Upload Extension Validation Weakness Arbitrary Code Execution

Summary

Vulnerable Configurations

Nessus

References