This vulnerability has been fixed on TCExam 10.1.011.
Now you can upload only the file types listed on K_ALLOWED_UPLOAD_EXTENSIONS constant at admin/config/tce_config.php.
Anyway, the vulnerability description is WRONG because only TCExam administrators may upload files to the system (you can upload files only from administration area - that should be password protected - and if you have an editor level). This means that only a TCExam administrator can hack himself!
Please note that I haven't received any notice about this vulnerability, I've just discovered it casually and immediately fixed. I think that you should always contact authors before publishing a security advisory.
John Leitch said...
Take another look at the code I posted. No authentication is performed. This vulnerability can be exploited without logging in, and this has been verified by a 3rd party.
Note that Secunia rated this Highly Critical:
And regarding disclosure, I do this in my free time and given the number of vendors who've ignored me in the past I've decided to take an immediate, full disclosure route.
* source - http://cross-site-scripting.blogspot.com/2010/06/tcexam-101006-arbitrary-upload.html
Note that if you correctly install TCExam, you must set a webserver-level password for the entire administration area.
Anyway, I've completely fixed the authentication issue on TCExam 10.1.012.