Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-2742

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-2742
Last Modified 14 Apr 2009 01:32:35
Published 17 Jun 2008 11:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-2742

Summary

Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) in Achievo 1.2.0 through 1.3.2 allows remote attackers to execute arbitrary code by uploading a file with .php followed by a safe extension, then accessing it via a direct request to the file in the Achievo root directory. NOTE: this is only a vulnerability in environments that support multiple extensions, such as Apache with the mod_mime module enabled.

Vulnerable Systems

Application

  • Achievo 1.2.0

  • Achievo 1.2.1

  • Achievo 1.3.0

  • Achievo 1.3.1

  • Achievo 1.3.2


References

XF - achievo-config-file-upload(42980)

BID - 29621

MILW0RM - 5770

CONFIRM - http://www.achievo.org/blog/archives/631-Achievo-1.3.3-Security-Release.html

SECUNIA - 30597


Last Updated: 27 May 2016 10:47:58