CVE-2011-0678

Name of the Vulnerable Software and Affected Versions Lomtec ActiveWeb Professional version 3.0

Description The issue concerns an unrestricted file upload vulnerability in the EasyEdit module. This allows remote attackers to execute arbitrary code by uploading an executable file. The vulnerability is exploited through the UploadDirectory and Accepted Extensions fields in the getImagefile component of EasyEdit.cfm.

Recommendations For Lomtec ActiveWeb Professional version 3.0, restrict access to the UploadDirectory field and limit the Accepted Extensions in the getImagefile component of EasyEdit.cfm to prevent uploading of executable files. Consider disabling the EasyEdit module until a proper fix is available.