FreeBSD : twiki -- multiple file extensions file upload vulnerability (a876df84-0fef-11db-ac96-000c6ec775d9)
Medium Nessus Plugin ID 22007
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionA TWiki Security Alert reports :
The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.
This issue can also be worked around with a restrictive web server configuration. See the
TWiki Security Alert for more information about how to do this.
SolutionUpdate the affected package.