CMS from Scratch <= 1.1.3 (FCKEditor) Unrestricted File Upload Vulnerability


CMS from Scratch contains a flaw that allows a remote user to execute arbitrary PHP code. The vulnerability is caused due to an error in the handling of file uploads in the cms/FCKeditor/editor/filemanager/connectors/php/upload.php script, when a file name has multiple file extensions. This can be exploited to upload malicious PHP scripts.


Disclosure Date:

May 29, 2008