OSVDB ID: 16334

Title: boastMachine users.inc.php File Extension Validation Arbitrary File Upload

Info

Disclosure

May 11, 2005

Discovery

Unknown

Dates

Exploit

May 11, 2005

Solution

Unknown

Description

boastMachine contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to users.inc.php not properly sanitizing user picture file extensions, which can be uploaded inside the web root. This may allow an attacker to include a file that contains arbitrary PHP code that can be executed.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

boastology

boastMachines

3.0

References

Bugtraq ID: 13600
Secunia Advisory ID: 15312
CVE ID: 2005-1580 (see also: NVD)
Vendor URL: http://boastology.com/
Other Advisory URL: http://www.kernelpanik.org/docs/kernelpanik/bmachines.txt

Credit

FraMe - framehispalab.com -

Direct URL: http://osvdb.org/16334