CVE-2007-6479

Name of the Vulnerable Software and Affected Versions Dokeos version 1.8.4

Description The issue concerns an unrestricted file upload vulnerability in the "My productions" component of the "My profile" page, located at main/auth/profile.php. This allows remote authenticated users to upload and execute arbitrary PHP files by using a filename with a double extension. The uploaded files can then be accessed through a URI under main/upload/users/.

Recommendations For Dokeos version 1.8.4, consider restricting file uploads to only allowed extensions and validating user input to prevent the upload of files with double extensions as a temporary workaround. Restrict access to the main/upload/users/ directory to minimize the risk of exploitation.