News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

FrSIRT Advisory:
P-News Arbitrary PHP File Upload and Remote Information Disclosure Vulnerabilities
November 30, 2006 @ 09:51:00

According to this advisory on the FrSIRT website, users of the P-News package have two somethings to worry about - a file upload and remote information disclosure vulnerability.

Multiple vulnerabilities have been identified in P-News, which could be exploited by remote attackers to compromise a vulnerable server or disclose sensitive information.

The file upload issue has to do with the ability to upload an Avatar to the system that doesn't validate the file extension and the second is a design flaw for the location of the user information (a text file) inside the document root.

Unfortunately, so official patch has been supplied at this time, but a few quick edits to the code can make these issues go away.

0 comments voice your opinion now!
pnews file upload remote information disclosure vulnerability pnews file upload remote information disclosure vulnerability


blog comments powered by Disqus

Similar Posts

Ldeveloper Tech Blog: PHP - Fatal error: Uncaught SoapFault exception: Could not connect to host...

DevShed: Understanding Static Properties with PHP 5

Volker Dusch's Blog: Running your Unittests everytime you save a file

IBM developerWorks: Cook up Web sites fast w/CakePHP, Part 1: Adding related information & services

Jonathan Street's Blog: When scraping content from the web don't make it obvious


Community Events

Don't see your event here?
Let us know!


introduction community language release laravel5 laravel voicesoftheelephpant library podcast security framework opinion interview extension threedevsandamaybe version unittest api series symfony

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework