EAFlashUpload v 2.5 File Arbitrary Upload

vendor:

EAFlashUpload

by:

Daniel Godoy

9.3

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: EAFlashUpload

Affected Version From: 2.5

Affected Version To: 2.5

Patch Exists: NO

Related CWE: N/A

CPE: a:easyalgo:eaflashupload:2.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

EAFlashUpload v 2.5 File Arbitrary Upload

EAFlashUpload v 2.5 is vulnerable to an arbitrary file upload vulnerability. An attacker can upload malicious files to the server without authentication, allowing them to execute arbitrary code on the server.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate file extensions and that the application is configured to only allow the upload of files to the appropriate directories.

Source

Exploit-DB raw data:

# Exploit Title: EAFlashUpload v 2.5 File Arbitrary Upload
# Date: 21/03/2011
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software: EAFlashUpload v 2.5
# Software Link: http://www.easyalgo.com/downloads.aspx#EAFlashUpload
# Demo: http://www.site.com/examples/eaflashupload/simpleupload.aspx
 
[Comment]
Agradezco a mis amigos: Hernan Jais, Alfonso Cuevas, Inyexion,
Login-Root, KikoArg, Ricota,
Truenex, TsunamiBoom, _tty0, Big, Sunplace, Killerboy,Erick
Jordan,Animacco ,yojota, Pablin77, SPEED, Knet, Cereal,
MagnoBalt,l0ve, NetToxic,
Gusan0r, Sabertrail, Maxi Soler, Darioxhcx,r0dr1,y0u-know.
Dedicatoria especial para SIR