This issue is due to the fact that the rConfig v3.9.6 package does not check the file extension of the uploaded file before executing it. An attacker can exploit this issue to execute arbitrary code. Note that rconfig v3.9.6 is only vulnerable when used to upload PHP files. rconfig v3.9.6 resolves this issue by updating its code to ensure that the file extension is validated before execution. rconfig v3Reduce the risk of code execution by ensuring that the rconfig v3.9.6 package does not execute files with a malicious file extension.
(Released December 2016)
rconfig v3.9.7 resolves this issue by verifying that the uploaded file has a .php extension before execution.
This release includes the following changes:
* Updated code to ensure that the rconfig v3.9.6 package does not execute files with a malicious file extension
* Improved detection of the PHP process identifier
* Ensure that rconfig v3.9.7 has no known issues with its patch installation process
* Fixed issues with filesystem permissions
rconfig v3.9.7: Update the code to check file extension before execution
The rConfig v3.9.7 package resolves CVE-2022-44384, which is an issue with the upload functionality of rconfig v3.9.6 that allows an attacker to execute arbitrary code by exploiting the lack of file extension validation, by updating its code to check the file extension before execution.