[SCAN Associates Security Advisory] xoops 2.0.9.2 and below weak file extension validation
Summary: xoops 2.0.9.2 and below weak file extension validation
Description
===========
XOOPS is an extensible, OO (Object Oriented), easy to use dynamic web
content management system written in PHP. XOOPS is the ideal tool for
developing small to large dynamic community websites, intra company
portals, corporate portals, weblogs and much more.
Details
=======
User may upload valid image file with insecure extension through avatar
upload if "Allow custom avatar upload" is set to "Yes" in "User Info
Settings". This setting is not on in default installation. This is cause
of weak file extension validation XoopsMediaUploader class in file
uploader.php.
if ( preg_match( '/\.(php|cgi|pl|py|asp)$/i', $this->mediaName ) )
{
$this->setErrors('Filename rejected');
return false;
}
In some web server installation other extension like .phtml,*.php3 is
threat as php script.
Workaround
==========
Set "Allow custom avatar upload" to "No" in "User Info Settings".
Proof of concept
================
Rename image to "image.php3" and upload as avatar using "Internet
Explorer".
Vendor Response
===============
27th February 2005 - Vendor contacted but no response.