X2Engine <= 3.7.5 (ProfileController.php) Unrestricted File Upload Vulnerability

• Software Link:


• Affected Versions:

Version 3.7.5 and probably prior versions.

• Vulnerability Description:

The vulnerability exists in the /protected/controllers/ProfileController.php script, specifically in the actionUploadPhoto() method, allowing to upload arbitrary files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.

• Solution:

Apply the vendor patch or upgrade to version 4.0.

• Disclosure Timeline:

[20/03/2014] – Vendor notified
[20/03/2014] – Vendor releases updates
[28/03/2014] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-2664 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano, Secunia Research.

• Original Advisory: