Ultimate Fade-in slideshow 1.51

vendor:

Ultimate Fade-in slideshow

by:

NeX HaCkeR

7,5

CVSS

HIGH

Shell Upload Vulnerability

264

CWE

Product Name: Ultimate Fade-in slideshow

Affected Version From: 1.51

Affected Version To: 1.51

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ultimate Fade-in slideshow 1.51 <= Shell Upload Vulnerability

A user can register in the site and then go to the Add New Events page. From there, they can upload a shell.php file.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in any file operations.

Source

Exploit-DB raw data:

==================

NaMe: Ultimate Fade-in slideshow 1.51  <= Shell Upload Vulnerability
Author : NeX HaCkeR
Contact: c2l@hotmail.com

==================

Script site : http://www.dynamicdrive.com

==================

ExplOiT:

1: register in site

http://www.xxx.com/path/user_register.php

2: go to your Add New Events

http://www.xxx.com/path/events_uadd.php

Now upload shell.php

==================

Live DemO:

http://www.deals2cops.com



+========================================================+
|                                                                                   
| Greetz.: ~ CrazyMaN ~ Dr.KAsBeR ~ DaMi ~                                          
|               And All Friends!!!!                                         |
+========================================================+

# milw0rm.com [2009-08-18]