CVE-2007-5156 – Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload

https://notcve.org/view.php?id=CVE-2007-5156

Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529. Una vulnerabilidad de lista negra incompleta en el archivo editor/filemanager/upload/php/upload.php en FCKeditor, tal y como es usado en SiteX CMS versiones 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, y probablemente otros productos, permite a atacantes remotos cargar y ejecutar código PHP arbitrario por medio de un archivo cuyo nombre contiene ".php." y que presenta una extensión desconocida, la cual es reconocida como un archivo .php por el servidor HTTP de Apache, una vulnerabilidad diferente de CVE-2006-0658 y CVE-2006-2529. • https://www.exploit-db.com/exploits/5618 https://www.exploit-db.com/exploits/5688 http://dev.fckeditor.net/changeset/973 http://dev.fckeditor.net/ticket/1325 http://downloads.securityfocus.com/vulnerabilities/exploits/30677.php http://secunia.com/advisories/27123 http://secunia.com/advisories/27174 http://securityreason.com/securityalert/3182 http://sourceforge.net/forum/forum.php?forum_id=743930 http://sourceforge.net/project/shownotes.php?release_id=546000 http://www.securityfocus.c •