Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-3336

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2006-3336
Last Modified 07 Mar 2011 09:38:23
Published 05 Jul 2006 04:05:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2006-3336

Summary

TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory.

Vulnerable Systems

Application

  • Twiki 2000-12-01

  • Twiki 2001-09-01

  • Twiki 2001-12-01

  • Twiki 2003-02-01

  • Twiki 2004-09-01

  • Twiki 2004-09-02

  • Twiki 2004-09-03

  • Twiki 2004-09-04

  • Twiki 4.0

  • Twiki 4.0.0

  • Twiki 4.0.1

  • Twiki 4.0.2

  • Twiki 4.0.3


References

CONFIRM - http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads

SECTRACK - 1016458

SECUNIA - 20992

VUPEN - ADV-2006-2677

BID - 18854


Last Updated: 27 May 2016 10:42:58