BLOG:CMS photo/thumb.php image Variable Arbitrary Image Upload

2006-07-05T13:33:52
ID OSVDB:27028
Type osvdb
Reporter Ellipsis Security(securityconnection@gmail.com)
Modified 2006-07-05T13:33:52

Description

Vulnerability Description

BLOG:CMS contains a flaw that may allow a malicious user to upload arbitrary files. The issue is due to the photo/thumb.php script not properly sanitizing user input supplied to the 'image' variable. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

BLOG:CMS contains a flaw that may allow a malicious user to upload arbitrary files. The issue is due to the photo/thumb.php script not properly sanitizing user input supplied to the 'image' variable. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.

Manual Testing Notes

http://[target]/photo/thumb.php?gallery=./Corvette&image=[EVIL_SCRIPT]

References:

Vendor URL: http://blogcms.com Secunia Advisory ID:20955 Related OSVDB ID: 27027 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0058.html