CVE-2005-4171

Name of the Vulnerable Software and Affected Versions eFiction version 1.1

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a filename with a .php extension that contains a GIF header. This passes the image validity check but executes any PHP code within the file, occurring when members are allowed to upload images through the "Upload new image" command in the "Manage Images" section.

Recommendations For eFiction version 1.1, as a temporary workaround, consider disabling the image upload functionality until a patch is available. Restrict access to the "Manage Images" section to minimize the risk of exploitation. Avoid allowing members to upload files with .php extensions to prevent arbitrary PHP code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.