vendor:
PHP F1 Webscripts
by:
wlhaan
8.8
CVSS
HIGH
Upload Shell Upload Vulnerability
434
CWE
Product Name: PHP F1 Webscripts
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020
PHP F1 Upload Shell Upload Vulnerability
This vulnerability allows an attacker to upload a malicious shell to a vulnerable website running the PHP F1 webscripts. The attacker can use the Google Dork “Photo Album” “Powered by PHP F1” to find vulnerable websites. The attacker can then access the admin.php page and upload a malicious shell with the name shell.php.pjpeg. The attacker can then access the shell by going to the URL http://server/path/original/shell.php.pjpeg.
Mitigation:
The website should be updated to the latest version of PHP F1 and the admin.php page should be secured with authentication.