CVE-2007-1255 - OpenCVE

Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Connectix	Connectix Boards

Configuration 1 [-]

OR	cpe:2.3:a:connectix:connectix_boards:0.4:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.4.1:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.4.2:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.4.3:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.4.4:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5.1:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5.2:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5.3:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5.4:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.5.5:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.6:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.6.1:::::::*
	cpe:2.3:a:connectix:connectix_boards:0.7:::::::*

References

Link	Resource
http://osvdb.org/33538
http://secunia.com/advisories/24255	Exploit Vendor Advisory
http://securityreason.com/securityalert/2364
http://www.securityfocus.com/archive/1/460947/100/0/threaded
https://www.exploit-db.com/exploits/3352

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-03-03T20:00:00

Updated: 2018-10-16T14:57:01

Reserved: 2007-03-03T00:00:00

Link: CVE-2007-1255

JSON object: View

NVD Information

Status : Modified

Published: 2007-03-03T20:19:00.000

Modified: 2018-10-16T16:37:38.157

Link: CVE-2007-1255

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "24255", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24255"}, {"name": "2364", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2364"}, {"name": "33538", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/33538"}, {"name": "20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/460947/100/0/threaded"}, {"name": "3352", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/3352"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "24255", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24255"}, {"name": "2364", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2364"}, {"name": "33538", "refsource": "OSVDB", "url": "http://osvdb.org/33538"}, {"name": "20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/460947/100/0/threaded"}, {"name": "3352", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/3352"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1255", "datePublished": "2007-03-03T20:00:00", "dateReserved": "2007-03-03T00:00:00", "dateUpdated": "2018-10-16T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:connectix:connectix_boards:0.4:*:*:*:*:*:*:*", "matchCriteriaId": "A5697238-ED12-40AF-87F5-42D5768800B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "BE38981D-9CF2-433E-8810-6030EC832105", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "8A2BC277-396B-4B8B-8263-162CBEFFF018", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "6AE0598A-10D0-458F-92F5-57920FF1CC55", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "B55C55CA-8FE6-4544-B2BB-5492BED5D1F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5:*:*:*:*:*:*:*", "matchCriteriaId": "ECA1DDA5-F74F-4E51-B773-B1D5963DBF1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "3009E669-72F1-4F78-901E-7252A3DC7D78", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "B311CD0D-F28A-4828-9B95-706D14AC7331", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "4243ECCE-E2AF-400F-BC10-E5A80FCBFEE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "4BA82EC7-07F8-4FB4-90CF-A8B5680E42EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "071809EB-CB31-434D-A973-2B8E395167C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.6:*:*:*:*:*:*:*", "matchCriteriaId": "F117FB93-A4D9-46F0-A4CB-49183C66AAC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "8F81D304-CF6F-4700-91E8-BAB3D80FAE0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:connectix:connectix_boards:0.7:*:*:*:*:*:*:*", "matchCriteriaId": "777E612F-6B0D-403A-8117-A16EC7CE6F77", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks."}, {"lang": "es", "value": "Vulnerabilidad de actualizaci\u00f3n de archivos no restringido en admin.bbcode.php en Connectix Boards 0.7 y anteriores permite a administradores remotos validados ejecutar c\u00f3digo PHP de su elecci\u00f3n a trav\u00e9s de actualizaci\u00f3n de una imagen smiley GIF con un una extensi\u00f3n .php a trav\u00e9s del par\u00e1metro uploadimage en admin.php, lo cual podr\u00eda estar posteriormente accesible a trav\u00e9s de respuesta directa para el fichero en smileys/. NOTA: \t\r\nesto puede ser apalancado con una edici\u00f3n separada de inyecci\u00f3n SQL para ataques remotos no validados."}], "id": "CVE-2007-1255", "lastModified": "2018-10-16T16:37:38.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-03-03T20:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/33538"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://secunia.com/advisories/24255"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2364"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/460947/100/0/threaded"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/3352"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}