osDate Upload Shell Vulnerability (uploadvideos.php)

vendor:

osDate

by:

Xa7m3d

7,5

CVSS

HIGH

Upload Shell Vulnerability

434

CWE

Product Name: osDate

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 9.10

2010

osDate Upload Shell Vulnerability (uploadvideos.php)

A vulnerability in osDate allows an attacker to upload a malicious shell to the server. The attacker must first create an account and confirm it. Then, they can access the uploadvideos.php page and upload a malicious shell. The shell will be stored in the uservideos folder. The attacker can then access the shell by going to the uservideos folder.

Mitigation:

Ensure that the uservideos folder is not publicly accessible and that the uploadvideos.php page is not accessible to unauthenticated users.

Source

Exploit-DB raw data:

====================================================

osDate Upload Shell Vulnerability (uploadvideos.php)

====================================================

##########################################################

#[~] Date : 05/08/2010                                   #

#[~] Author : Xa7m3d                                     #

#[~] Tested ON : ubuntu 9.10                             #

#[~] MY Team : Currently no                              #

#[~] Software Link : http://www.tufat.com/script39.htm   #

#[~] E-mail : C1G@hotmail.com                            #

#[~] Language : php                                      #

#[~] Dork : N/A                                          #

##########################################################

[+] Step 1 : Make sure the uservideos folder exists On the next track

[-] localhost/temp/uservideos

[+] Step 2 : Register & confirm your account

[+] Step 3 : Go To :

[-] server/uploadvideos.php

[+] step 4 : upload shell.php

[+] step 5 : Go here :

[-] server/temp/uservideos

[+] You will see You shell Like "username_V1_shell.php"

 
---------greatz----------

 
Greatz to : All Muslim & Turkish Hacker,All My Friends,www.inj3ct0r.com,www.exploit-db.com,www.securityreason.com,www.securityfocus.com,www.sec-war.com,www.hackteach.org,www.sec-r1z.com,www.hackforums.net,www.1923turk.com,www.no-exploit.com,www.dev-point.com,www.2hacker.com,www.iqs3cur1ty.com,www.arab-exploit.com ..etc


Note ~ : I have The quran Memmorized! He can burn Holy Quran all he wants, the message of Islam will never die!
 
Muslim & Tunisian Hacker

 
EnJoY o_O

 
./3x17