CVE-2006-2330

Name of the Vulnerable Software and Affected Versions PHP-Fusion versions 6.00.306 and earlier

Description The issue allows remote authenticated users to upload files of arbitrary types by using a filename that contains two or more extensions, ending in an assumed-valid extension such as .gif. This bypasses the validation, enabling the upload and potential execution of malicious files, for example, an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.

Recommendations For PHP-Fusion versions 6.00.306 and earlier, consider restricting file uploads to only explicitly allowed extensions and validate file types based on their content rather than just their extensions. As a temporary workaround, restrict access to the file upload feature until a proper fix is applied.