Vulnerability in phpWebSite Announcement Image Upload

Please note that we do not support phpWebSite. This news item is for IU's central web server account holders who are using phpWebSite on their account.

A security researcher known as nst has reported a vulnerability in phpWebSite, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the uploading of images when submitting an announcement. This can be exploited to upload arbitrary PHP scripts to a directory inside the web root. The vulnerability has been reported in version 0.10.0 and prior. This vulnerability in phpWebSite currently lacks a patch, but can be resolved by editing source code to ensure filenames of uploaded images are properly verified.

For more information, please see Secunia Advisory: phpWebSite Announcement Image Upload Vulnerability

• Webmaster News
  • Current
  • Archive
• Accounts
  • Applying for an Account
  • Account Maintenance
  • Passphrase Information
• Tools/Guides
  • Policies and Guidelines
  • Images and Templates
  • Publishing to Webserve
  • Web Site Maintenance
  • Web Content Management System
  • Logs and Statistics
  • Web Site Security
  • Using Unix
  • Programming Languages
  • Server Configuration
  • Forms Using Transform
  • IU Search Service
  • Electronic Commerce
  • Virtual Host Name Service
  • Digital Media Streaming
  • MySQL Database Service

• Webserve Features
• Getting Started
• Contact Us
• Site Map

• UITS Services and Support
• IU Webmaster
• Site Map
• Comments

• Copyright 1999-2009, The Trustees of Indiana University
• Copyright Complaints
• Last Updated: 04 April 2007