Shell Upload Vulnerability

vendor:

bestdatingscript

by:

jetli007

8,8

CVSS

HIGH

Shell Upload

434

CWE

Product Name: bestdatingscript

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

A vulnerability in the bestdatingscript allows an attacker to upload a malicious shell to the server. The attacker can register an account, log in, and then navigate to the upload.php page. The attacker can then upload a malicious shell, such as Evil.php, to the photos directory. This shell can then be used to execute arbitrary code on the server.

Mitigation:

Ensure that the upload.php page is not accessible to unauthenticated users, and that all uploaded files are scanned for malicious content.

Source

Exploit-DB raw data:

=======================================================
+++++++++++++++++++ |Script info| +++++++++++++++++++++
=======================================================
                       
                    [Shell Upload Vulnerability]

[-] script : bestdatingscript

[-] Site   : http://www.bestdatingscript.com



=======================================================
+++++++++++++++++++ |Author| ++++++++++++++++++++++++++
=======================================================


[+] Found by  :  jetli007

[+] C0ntact   : alkhari9007 [AT] Gmail [DOT] com 
                   
[+] Group     : Saudi Virus Team

[+] Site       : www.vxx9.cc

=======================================================
+++++++++++++++++++++++ |Exploit| +++++++++++++++++++++
=======================================================


[+] Exploit : 
     
  - steps :	 

        - [1] : register in site

        - [2] : Login with ur account 
         
        - [3] : goto http://www.127.0.0.1.com/ [path] /upload.php
		
        - [4] : http://www.127.0.0.1.com/ [path] /photos/Evil.php
		
---------------------------------------------------------------------

Greetz : Reno ; Dr.php ; !BaD BoY! ; 5D ; taishi ; ga3 wlad drb XD ; all friends [* -]

# milw0rm.com [2009-08-18]