vendor:
Real Estate
by:
ZoRLu
7.5
CVSS
HIGH
Remote File upload
434
CWE
Product Name: Real Estate
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
geta php Real Estate Remote File upload
A vulnerability in geta php Real Estate allows an attacker to upload a malicious file to the server. An attacker can register to the site, login and edit their profile to upload a malicious file. The malicious file is then accessible at the path localhost/script/re_images/[ID]_logo_your_shell.php. An example of this exploit can be seen in the login http://www.getaphpsite.com/demos/realty/login.php with user zorlu and password zorlu1 and the malicious file can be accessed at http://www.getaphpsite.com/demos/realty/re_images/1227371905_logo_c.php
Mitigation:
Ensure that the application is configured to only allow the upload of files with the appropriate file extensions and that the application is configured to only allow the upload of files to the appropriate directory.
