GNUBoard gbupdate.php Arbitrary File Upload

2005-01-03T00:00:00
ID OSVDB:12710
Type osvdb
Reporter Jeremy Bae(swbae@stgsecurity.com)
Modified 2005-01-03T00:00:00

Description

Vulnerability Description

GNUBoard contains a flaw that may allow a malicious user to upload arbitrary files. The issue is triggered when a filename is submitted to gbupdate.php with an extension with capital letters. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

Solution Description

Upgrade to version 3.40 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

GNUBoard contains a flaw that may allow a malicious user to upload arbitrary files. The issue is triggered when a filename is submitted to gbupdate.php with an extension with capital letters. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

References:

Vendor URL: http://www.sir.co.kr/ Security Tracker: 1012753 Secunia Advisory ID:13711 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0013.html CVE-2005-0269