ISS X-Force Database: phpfusion-avatar-extensions-code-execution(26388): PHP-Fusion includes/update_profile_include.php avatar extensions code execution

PHP-Fusion includes/update_profile_include.php avatar extensions code execution

phpfusion-avatar-extensions-code-execution (26388)

Medium Risk

Description:

PHP-Fusion could allow a remote attacker to execute arbitrary PHP code on the vulnerable system caused by improper handling of filenames containing multiple file extensions. If Apache server with the mod_mime module is installed, a remote attacker could upload a specially-crafted avatar image file containing PHP code as EXIF metadata content to the includes/update_profile_include.php script, which would be executed on the target system.

Platforms Affected:

PHP Fusion, PHP Fusion 6.00.105
PHP Fusion, PHP Fusion 6.00.106
PHP Fusion, PHP Fusion 6.00.107
PHP Fusion, PHP Fusion 6.00.109
PHP Fusion, PHP Fusion 6.00.110
PHP Fusion, PHP Fusion 6.00.204
PHP Fusion, PHP Fusion 6.00.206
PHP Fusion, PHP Fusion 6.00.3
PHP Fusion, PHP Fusion 6.00.303
PHP Fusion, PHP Fusion 6.00.304
PHP Fusion, PHP Fusion 6.00.306

Remedy:

Upgrade to the latest version of PHP-Fusion (6.00.306 or later), available from the PHP-Fusion Web site. See References.

Consequences:

Gain Access

References:

BugTraq Mailing List, Mon May 08 2006 - 14:55:07 CDT, PHPFusion <= v6.00.306 avatar mod_mime arbitrary file upload & local inclusion vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2006-05/0152.html.
PHP-Fusion Web site, PHP-Fusion Deutsche Support Seite at http://www.php-fusion.de/news.php.
BID-17898: PHP-Fusion Multiple Local File Include Vulnerabilities
CVE-2006-2330: PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in .php.gif and contains PHP code in EXIF metadata.
OSVDB ID: 25537: PHP-Fusion File Upload Restriction Bypass
SA19992: PHP-Fusion Multiple Vulnerabilities
VUPEN/ADV-2006-1735: PHP-Fusion Arbitrary Avatar Upload and Local File Inclusion Vulnerabilities

Reported:

May 09, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page