CVE-2006-4859

Name of the Vulnerable Software and Affected Versions Limbo (aka Lite Mambo) CMS versions 1.0.4.2L and earlier

Description The issue concerns an unrestricted file upload vulnerability. It allows remote attackers to upload PHP code to the images/contact folder via a filename with a double extension in the contact attach parameter in a contact option in "index.php". This is possible due to an insufficiently restrictive regular expression.

Recommendations For Limbo (aka Lite Mambo) CMS versions 1.0.4.2L and earlier, consider restricting the file types that can be uploaded through the contact option in index.php to prevent the upload of PHP code. As a temporary workaround, restrict access to the images/contact folder to minimize the risk of exploitation.