CVE-2006-2330
Last modified
CVE-2006-2330 is a vulnerability of currently unknown severity. PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.. EPSS estimates a 7.83% chance of exploitation in the next 30 days.
Description
PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Php Fusion | Php Fusion | 6.00.3 |
| Php Fusion | Php Fusion | 6.00.105 |
| Php Fusion | Php Fusion | 6.00.106 |
| Php Fusion | Php Fusion | 6.00.107 |
| Php Fusion | Php Fusion | 6.00.109 |
| Php Fusion | Php Fusion | 6.00.110 |
| Php Fusion | Php Fusion | 6.00.204 |
| Php Fusion | Php Fusion | 6.00.206 |
| Php Fusion | Php Fusion | 6.00.303 |
| Php Fusion | Php Fusion | 6.00.304 |
| Php Fusion | Php Fusion | 6.00.306 |
References
- http://secunia.com/advisories/19992Patch, Vendor Advisory
- http://secunia.com/advisories/19992Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2006-2330?
How severe is CVE-2006-2330?
How do I fix CVE-2006-2330?
Are you affected by CVE-2006-2330?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST