e107 Avatar/Photograph Arbitrary File Upload Vulnerability

Bugtraq ID:	39540
Class:	Input Validation Error
CVE:	CVE-2010-0996
Remote:	Yes
Local:	No
Published:	Apr 15 2010 12:00AM
Updated:	Apr 15 2010 12:00AM
Credit:	Secunia Research
Vulnerable:	e107 e107 0.7.19 e107 e107 0.7.18 e107 e107 0.7.17 e107 e107 0.7.16 e107 e107 0.7.15 e107 e107 0.7.13 e107 e107 0.7.8 e107 e107 0.7.5
Not Vulnerable:	e107 e107 0.7.20

e107 Avatar/Photograph Arbitrary File Upload Vulnerability

e107 is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Versions prior to e107 0.7.20 are vulnerable.

e107 Avatar/Photograph Arbitrary File Upload Vulnerability

Attackers may exploit this issue via a browser.

e107 Avatar/Photograph Arbitrary File Upload Vulnerability

Solution:
Updates are available. Please see the references for more information.

e107 Avatar/Photograph Arbitrary File Upload Vulnerability

References:

• e107 Avatar/Photograph Image File Upload Vulnerability (Secunia)
  
• e107 CMS Homepage (e107)
  
• Security Update 0.7.20 released (e107)