MoniWiki UploadFile.php Multiple File Extension Arbitrary Script Upload/Execution

2004-12-15T11:09:26
ID OSVDB:12398
Type osvdb
Reporter Jeremy Bae(swbae@stgsecurity.com)
Modified 2004-12-15T11:09:26

Description

Vulnerability Description

MonoWiki contains a flaw that may allow a malicious user to upload script and/or execute arbitrary code. The issue is triggered when a malicious user attempts to upload a file with multiple file extensions. It is possible that the flaw may allow an intruder to upload files and/or execute code inside the web root resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Dongsu Jang has released a patch to address this vulnerability. Disabling mod_mime will prevent the execution of arbitrary code.

Short Description

MonoWiki contains a flaw that may allow a malicious user to upload script and/or execute arbitrary code. The issue is triggered when a malicious user attempts to upload a file with multiple file extensions. It is possible that the flaw may allow an intruder to upload files and/or execute code inside the web root resulting in a loss of integrity.

References:

Vendor URL: http://kldp.net/projects/moniwiki/ Security Tracker: 1012532 Secunia Advisory ID:13478 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0177.html ISS X-Force ID: 18493 CVE-2004-1545 Bugtraq ID: 11951