Secunia Research has discovered a vulnerability in e107, which can be exploited by malicious users to compromise a vulnerable system. An error exists in the handling of file uploads for avatar and photograph images. This can be exploited to upload and execute arbitrary PHP code via a specially crafted image file with a ".php.filetypesphp" extension. Successful exploitation requires that "Public Uploads" are disabled (default), but uploads for avatar or photograph images for users are enabled, and a certain server configuration (e.g. an Apache server with the "mod_mime" module installed).e107 version 0.7.19 is affected.
45428821d57d683fe1349074f3b121de28a05956ea85e81aa8b952bc93652c39