Vulnerabilities > CVE-2006-2330 - Local File Include vulnerability in PHP-Fusion
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.
Vulnerable Configurations
Exploit-Db
description | PHP-Fusion <= 6.00.306 Multiple Vulnerabilities Exploit. CVE-2006-2330,CVE-2006-2331. Webapps exploit for php platform |
id | EDB-ID:1760 |
last seen | 2016-01-31 |
modified | 2006-05-07 |
published | 2006-05-07 |
reporter | rgod |
source | https://www.exploit-db.com/download/1760/ |
title | PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities Exploit |
References
- http://secunia.com/advisories/19992
- http://securityreason.com/securityalert/873
- http://www.osvdb.org/25537
- http://www.php-fusion.co.uk/news.php
- http://www.securityfocus.com/archive/1/433277/100/0/threaded
- http://www.securityfocus.com/bid/17898
- http://www.vupen.com/english/advisories/2006/1735
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26388