Free Image & File Hosting Upload Vulnerability

vendor:

Upload Vulnerability

by:

indoushka

7,5

CVSS

HIGH

Upload Vulnerability

434

CWE

Product Name: Upload Vulnerability

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2008

Free Image & File Hosting Upload Vulnerability

A vulnerability exists in the Free Image & File Hosting Upload Vulnerability, which allows an attacker to upload malicious files to the server. This can be exploited by sending a specially crafted HTTP request with a malicious file attached. The attacker can then access the malicious file from the server.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the expected file extensions and that the application is configured to only allow the upload of files with the expected file size.

Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : Free Image & File Hosting Upload Vulnerability      
| # Author   : indoushka                                                               
| # email    : indoushka@hotmail.com                                                   
| # Home     : www.iqs3cur1ty.com                                                                              
| # Web Site : http://dl.p30vel.ir/scripts/vel_file_uploader_v1.1.zip                                                                                                                                  
| # Dork     : Copyright 2008 Free Image & File Hosting 
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)       
| # Bug      : upload                                                                      
======================      Exploit By indoushka       =================================
 # Exploit  : 
 
 1 - http://127.0.0.1/vel_file_uploader_v1.1/index.php (Use Tamper Data)
 
 2 - http://127.0.0.1/vel_file_uploader_v1.1/uploads/ (File Name)


Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz : 
Exploit-db Team : 
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
---------------------------------------------------------------------------------------------------------------