La-Nai CMS <= 1.2.16 (FCKEditor) Unrestricted File Upload Vulnerability

Description:

La-Nai CMS contains a flaw that allows a remote user to execute arbitrary PHP code. The vulnerability is caused due to an error in the handling of file uploads in the include/fckeditor/editor/filemanager/upload/php/upload.php script, when a file name has multiple file extensions. This can be exploited to upload malicious PHP scripts.

References:

• CVE-2007-5156
• EDB-5618

Disclosure Date:

May 14, 2008