phUploader Remote File Upload Vulnerability

vendor:

phUploader

by:

wlhaan-hacker

6.4

CVSS

MEDIUM

Remote File Upload Vulnerability

434

CWE

Product Name: phUploader

Affected Version From: v2

Affected Version To: v2

Patch Exists: NO

Related CWE: N/A

CPE: a:phuploader:phuploader

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

phUploader Remote File Upload Vulnerability

A vulnerability exists in the phUploader script which allows an attacker to upload a malicious file to the server. The attacker can then access the malicious file by visiting the URL http://{target}/script path/uploads/shell.php.flac. A video demonstration of the exploit is available for download at http://filaty.com/f/912/99431/up5.rar.html.

Mitigation:

The vendor should ensure that the application is configured to only allow the upload of files with valid extensions and that the application is configured to reject files with double extensions.

Source

Exploit-DB raw data:

# Exploit Title: phUploader Remote File Upload Vulnerability
# Date: 20-12-2009
# Author: wlhaan-hacker
#
# Version: v2
# CVE : [N/A]

==========================================================================

~ Script Name : phUploader)
~ Language : php
~
~ email: iit@hotmail.com
~
============================================================

Dork : Powered By phUploader



============================================================
Exploit :



http://{target}/script path/upload.php

chang shell

shell.php.flac

go to shell

http://{target}/script path/uploads/shell.php.flac

Exploit viduo
Download:
http://filaty.com/f/912/99431/up5.rar.html
============================================================

thank you for

shooq hacker
============================================================

www.sa-hacker.com/vb
============================================================