[原文]PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.
PHP-Fusion contains a flaw that may allow a malicious user to upload avatar images with multiple file extensions. It is possible that the flaw may allow to execute arbitrary PHP code if used, for example, in conjunction with apache mod_mime module.
Upgrade to version 6.00.307 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.