CMS from Scratch <= 1.1.3 (FCKEditor) Unrestricted File Upload Vulnerability

Description:

CMS from Scratch contains a flaw that allows a remote user to execute arbitrary PHP code. The vulnerability is caused due to an error in the handling of file uploads in the cms/FCKeditor/editor/filemanager/connectors/php/upload.php script, when a file name has multiple file extensions. This can be exploited to upload malicious PHP scripts.

References:

BID-29431
EDB-5691

Disclosure Date:

May 29, 2008