ISS X-Force Database: xoops-uploader-file-upload(19634): XOOPS uploader.php file upload

XOOPS uploader.php file upload

xoops-uploader-file-upload (19634)

High Risk

Description:

XOOPS could allow a remote attacker to upload arbitrary files, caused by improper validation of user-supplied input in the uploader.php script. If Allow Custom Avatar Upload is enabled, a remote attacker could upload a malicious custom avatar with an arbitrary file extension containing arbitrary code allowing the attacker to execute arbitrary code on the system.

Platforms Affected:

XOOPS, XOOPS 2.0.9.2 and prior

Remedy:

Apply the patch for this vulnerability, when it becomes available from the XOOPS CVS Repository Web site. See References.

Consequences:

Gain Access

References:

BugTraq Mailing List, Mon Mar 07 2005 - 20:25:42 CST , xoops 2.0.9.2 and below weak file extension validation at http://archives.neohapsis.com/archives/bugtraq/2005-03/0152.html.
SourceForge.net, SourceForge.net: PRoject Infor - XOOPS Dynamic Web CMS at http://sourceforge.net/projects/xoops/.
Xoops CVS Repository Web site, http://cvs.sourceforge.net/viewcvs.py/*checkout*/xoops/xoops2/class/uploader.php?rev=1.18 at http://cvs.sourceforge.net/viewcvs.py/xoops/xoops2/.
BID-12754: Xoops Custom Avatar Remote Arbitrary PHP File Upload Vulnerability
CVE-2005-0743: The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered.
SA14520: Xoops Avatar Upload File Extension Vulnerability

Reported:

Mar 09, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page