PHP-Fusion.Local.File.Inclusion

description-logoDescription

PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types, using a filename that contains two or more extensions that end in an assumed-valid extension such as .gif. This bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.

affected-products-logoAffected Products

PHP-Fusion 6.00.306 and earlier.

Impact logoImpact

Allows remote authenticated users to upload files of arbitrary types.

recomended-action-logoRecommended Actions

Update to version 6.00.307.
http://www.php-fusion.co.uk/downloads.php

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)