CVE-2006-3128

Name of the Vulnerable Software and Affected Versions easy-CMS version 0.1.2

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a GIF file extension, then directly accessing that file in the Repositories directory. This is possible because the choose file.php script does not restrict uploads of filenames with multiple extensions when mod mime is installed.

Recommendations For easy-CMS version 0.1.2, restrict the upload of files with multiple extensions in the choose file.php script to prevent the execution of arbitrary PHP code. Consider validating and sanitizing uploaded file names to ensure they do not contain malicious extensions.