OSVDB ID: 24387

Title: Crafty Syntax Image Gallery Crafted HTTP POST Request Arbitrary PHP Code Execution

Info

Disclosure

Apr 04, 2006

Discovery

Unknown

Dates

Exploit

Apr 04, 2006

Solution

Unknown

Description

Crafty Syntax Image Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to a flaw in the newimage.php script which does not properly validate uploaded images. This may allow an attacker to upload arbitrary PHP scripts using manipulated HTTP POST data that contains arbitrary commands which will be executed with the privileges of the web server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Eric Gerdes

Crafty Syntax Image Gallery

3.1g

References

Milw0rm: 1645
Exploit Database: 1645
Secunia Advisory ID: 19478
CVE ID: 2006-1668 (see also: NVD)
Related OSVDB ID: 24386
ISS X-Force ID: 25655
VUPEN Advisory: ADV-2006-1239
Vendor URL: http://sourceforge.net/projects/csyntax/

Credit

r0t - krustevsgooglemail.com - UNSECURED SYSTEMS

Direct URL: http://osvdb.org/24387