La-Nai CMS <= 1.2.16 (FCKEditor) Unrestricted File Upload Vulnerability


La-Nai CMS contains a flaw that allows a remote user to execute arbitrary PHP code. The vulnerability is caused due to an error in the handling of file uploads in the include/fckeditor/editor/filemanager/upload/php/upload.php script, when a file name has multiple file extensions. This can be exploited to upload malicious PHP scripts.


Disclosure Date:

May 14, 2008