CVE-2005-0743

Description

The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered.

Affected products

• Xoops / xoops1.0_rc1 – 1.0_rc1
• Xoops / xoops1.0_rc3 – 1.0_rc3
• Xoops / xoops1.0_rc3.0.5 – 1.0_rc3.0.5
• Xoops / xoops1.3.5 – 1.3.5
• Xoops / xoops1.3.6 – 1.3.6
• Xoops / xoops1.3.7 – 1.3.7
• Xoops / xoops1.3.8 – 1.3.8
• Xoops / xoops1.3.9 – 1.3.9
• Xoops / xoops1.3.10 – 1.3.10
• Xoops / xoops2.0 – 2.0
• Xoops / xoops2.0.1 – 2.0.1
• Xoops / xoops2.0.2 – 2.0.2
• Xoops / xoops2.0.3 – 2.0.3
• Xoops / xoops2.0.5 – 2.0.5
• Xoops / xoops2.0.5.1 – 2.0.5.1
• Xoops / xoops2.0.5.2 – 2.0.5.2
• Xoops / xoops2.0.9.2 – 2.0.9.2

References

• VENDOR_ADVISORYhttp://secunia.com/advisories/14520
• MISChttp://www.xoops.org/modules/news/article.php?storyid=2114
• MISChttp://www.securityfocus.com/archive/1/392626
• MISChttp://www.securityfocus.com/bid/12754
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/19634