Vulnerability Note VU#914793
PhpWiki fails to properly restrict uploaded files
PhpWiki fails to properly restrict uploaded files, which can allow a remote attacker to execute arbitrary commands on a vulnerable system.
PhpWiki is Wiki software that is implemented in PHP. PhpWiki includes an "UpLoad" feature that allows users to upload files. Files with a .php extension are not permitted, however other extensions are allowed. This can allow an attacker to upload a file that can be processed by PHP on the PhpWiki server.
Note that this vulnerability is being actively exploited.
A remote attacker may be able to execute arbitrary PHP code on a vulnerable server. This can allow arbitrary command execution on the system.
We are currently unaware of a practical solution to this problem.
Systems Affected (Learn More)
No information available. If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Thanks to Reini Urban for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 08 Apr 2007
- Date First Published: 12 Apr 2007
- Date Last Updated: 13 Apr 2007
- Severity Metric: 18.42
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.