PHProjekt Arbitrary File Upload Vulnerability

Bugtraq ID:	22956
Class:	Input Validation Error
CVE:	CVE-2007-1639
Remote:	Yes
Local:	No
Published:	Mar 14 2007 12:00AM
Updated:	Jun 20 2007 03:39AM
Credit:	Alexios Fakos is credited with the discovery of this vulnerability.
Vulnerable:	PHProjekt PHProjekt 5.2 PHProjekt PHProjekt 5.1.2 PHProjekt PHProjekt 5.1.1 PHProjekt PHProjekt 5.1 Gentoo Linux
Not Vulnerable:	PHProjekt PHProjekt 5.2.1

PHProjekt Arbitrary File Upload Vulnerability

PHProjekt is prone to an arbitrary file-upload vulnerability.

Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process. This may help the attacker compromise the application; other attacks are possible.

Versions prior to 5.2.1 are vulnerable to this issue.

PHProjekt Arbitrary File Upload Vulnerability

Attackers can use a browser to exploit these issues.

PHProjekt Arbitrary File Upload Vulnerability

Solution:
The vendor has released version 5.2.1 to address this issue.


PHProjekt PHProjekt 5.1

• PHProjekt PHProjekt 5.2.1
  http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.1.1

• PHProjekt PHProjekt 5.2.1
  http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.1.2

• PHProjekt PHProjekt 5.2.1
  http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.2

• PHProjekt PHProjekt 5.2.1
  http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt Arbitrary File Upload Vulnerability

References:

• n.runs-SA-2007.006 Privilege escalation PHProjekt 5.2.0 (n.runs AG)
  
• PHProjekt Homepage (PHProjekt Team)
  
• n.runs-SA-2007.006 - PHProjekt 5.2.0 - Privilege escalation (n.runs)