Summary: xoops 2.0.9.2 and below weak file extension validation Description =========== XOOPS is an extensible, OO (Object Oriented), easy to use dynamic web content management system written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more. Details ======= User may upload valid image file with insecure extension through avatar upload if "Allow custom avatar upload" is set to "Yes" in "User Info Settings". This setting is not on in default installation. This is cause of weak file extension validation XoopsMediaUploader class in file uploader.php. if ( preg_match( '/\.(php|cgi|pl|py|asp)$/i', $this->mediaName ) ) { $this->setErrors('Filename rejected'); return false; } In some web server installation other extension like .phtml,*.php3 is threat as php script. Workaround ========== Set "Allow custom avatar upload" to "No" in "User Info Settings". Proof of concept ================ Rename image to "image.php3" and upload as avatar using "Internet Explorer". Vendor Response =============== 27th February 2005 - Vendor contacted but no response.
Official notice http://www.xoops.org/modules/news/article.php?storyid=2114
Fix seems to be available in upstream CVS and a new release should be out soon. Seems like one can upload a script with extensions like .php3, which could be interpreted by the web server as an php script. In that case this might be a ~1.
Going to bump to 2.0.9.2 (latest still-vulnerable version) and patch it. FYI this package isn't stable on any archs.
2.0.9.2 w/patch is in CVS.
Thanks Aaron. This package was never stable; closing without GLSA.
