OzzyWork Galeri add.asp Arbitrary File Upload

2006-05-09T03:47:37
ID OSVDB:25427
Type osvdb
Reporter Dj ReMix(Dj_ReMix_20@hotmail.com)
Modified 2006-05-09T03:47:37

Description

Vulnerability Description

OzzyWork contains a flaw that may allow a malicious user to upload arbitray files. The issue is caused by improper file extensions checks in add.asp. It is possible that the flaw may allow an attacker to upload and execute arbitrary ASP code resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

OzzyWork contains a flaw that may allow a malicious user to upload arbitray files. The issue is caused by improper file extensions checks in add.asp. It is possible that the flaw may allow an attacker to upload and execute arbitrary ASP code resulting in a loss of integrity.

References:

Vendor URL: http://www.indirmax.org/program.asp?id=2696 Secunia Advisory ID:20049 Related OSVDB ID: 25426 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0176.html ISS X-Force ID: 26365 FrSIRT Advisory: ADV-2006-1768 CVE-2006-6994 Bugtraq ID: 17946