CVE-2007-5156
published 2007-10-01CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.00%
94.0th percentile
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cardinal_cms_project | cardinal_cms | — | — |
| redlinesoft | lanai_cms | <= 1.2.16 | — |
| sitex_cms_project | sitex_cms | — | — |
| syntax_cms_project | syntax_cms | <= 1.3 | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p57r-mjxp-9www: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-5156 [MEDIUM] GHSA-p57r-mjxp-9www: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
OSV
CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
osv·2007-10-01·CVSS 5.0
CVE-2007-5156 [MEDIUM] CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
No detection rules found.
Exploit-DB
SyntaxCMS 1.3 - 'FCKeditor' Arbitrary File Upload
exploitdb·2008-05-29
CVE-2007-5156 SyntaxCMS 1.3 - 'FCKeditor' Arbitrary File Upload
SyntaxCMS 1.3 - 'FCKeditor' Arbitrary File Upload
---
special THanks to EgiX For the Exploit Code
author...: Stack
mail.....: Ev!L
descr:
if the web site change the name of path or path is /public/ you can delet /public/ in the exploit
in the line :
"POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
[-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType =
Exploit-DB
Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload
exploitdb·2008-05-14
CVE-2007-5156 Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload
Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload
---
0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. i
No writeups or analysis indexed.
http://dev.fckeditor.net/changeset/973http://dev.fckeditor.net/ticket/1325http://downloads.securityfocus.com/vulnerabilities/exploits/30677.phphttp://secunia.com/advisories/27123http://secunia.com/advisories/27174http://securityreason.com/securityalert/3182http://sourceforge.net/forum/forum.php?forum_id=743930http://sourceforge.net/project/shownotes.php?release_id=546000http://www.securityfocus.com/archive/1/480830/100/0/threadedhttp://www.securityfocus.com/bid/29422http://www.securityfocus.com/bid/30677http://www.vupen.com/english/advisories/2007/3464http://www.vupen.com/english/advisories/2007/3465http://www.waraxe.us/advisory-57.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/42425https://exchange.xforce.ibmcloud.com/vulnerabilities/42733https://exchange.xforce.ibmcloud.com/vulnerabilities/44455https://www.exploit-db.com/exploits/5618https://www.exploit-db.com/exploits/5688http://dev.fckeditor.net/changeset/973http://dev.fckeditor.net/ticket/1325http://downloads.securityfocus.com/vulnerabilities/exploits/30677.phphttp://secunia.com/advisories/27123http://secunia.com/advisories/27174http://securityreason.com/securityalert/3182http://sourceforge.net/forum/forum.php?forum_id=743930http://sourceforge.net/project/shownotes.php?release_id=546000http://www.securityfocus.com/archive/1/480830/100/0/threadedhttp://www.securityfocus.com/bid/29422http://www.securityfocus.com/bid/30677http://www.vupen.com/english/advisories/2007/3464http://www.vupen.com/english/advisories/2007/3465http://www.waraxe.us/advisory-57.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/42425https://exchange.xforce.ibmcloud.com/vulnerabilities/42733https://exchange.xforce.ibmcloud.com/vulnerabilities/44455https://www.exploit-db.com/exploits/5618https://www.exploit-db.com/exploits/5688
2007-10-01
Published