CameraLife-2.6.2b4 Arbitrary File Upload Vulnerability

vendor:

CameraLife

by:

Mi4night

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: CameraLife

Affected Version From: 2.6.2b4

Affected Version To: 2.6.2b4

Patch Exists: NO

Related CWE: N/A

CPE: cameralife

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

CameraLife-2.6.2b4 Arbitrary File Upload Vulnerability

After registering a user can upload php files which can be accessed by changing the username in the exploit section.

Mitigation:

Restrict the file types that can be uploaded and verify the file type before allowing the upload.

Source

Exploit-DB raw data:

[+] CameraLife-2.6.2b4 Arbitrary File Upload Vulnerability

[+] Author:Mi4night

[+] Version:cameralife-2.6.2b4

[+] Download Script:
[+] http://sourceforge.net/project/showfiles.php?group_id=70910&package_id=70316&release_id=628868

[+] Exploit:
[+] http://127.0.0.1/cameralife/images/photos/upload/Mi4night/yourshell.php

[+] Description:
[+] After registering you can upload php files which you can access just like in the exploit section! Change Mi4night with your username.

[+] Greets to : nuclear, cAs,zYzTeM, Sys32-Hack, Pepe, G-Emp!RE, ThaWhiteNigga, *Z.i.P*,THE_MAN, I-O-W-A, Digitalfortress, DiGitalX, sys32r, pentest, Pig, d3v1l, watchdog, Gibon

# milw0rm.com [2008-09-27]