Remote File Upload

vendor:

tizag-countdown_Version_3

by:

Ahmadbady

7.5

CVSS

HIGH

Remote File Upload

434

CWE

Product Name: tizag-countdown_Version_3

Affected Version From: tizag-countdown_Version_3

Affected Version To: tizag-countdown_Version_3

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

A vulnerability in the tizag-countdown_Version_3 script allows an attacker to upload a malicious file to the server. The malicious file can be accessed via the URL www.site.com/path/pics/file.php

Mitigation:

Ensure that the application is configured to only allow the upload of files with the expected file types and extensions. Additionally, ensure that the application is configured to only allow the upload of files to the expected directory.

Source

Exploit-DB raw data:

****(remote file upload)****

script: tizag-countdown_Version_3
                   
***************************************************************************
download from:http://www.tizag.com/downloads/tizag-countdown_Version_3.zip
                                                                                                         
***************************************************************************
www.site.com/path/index.php (upload file.php)

shell= www.site.com/path/pics/file.php
                          
***************************************************


Author: ahmadbady 

my mail: kivi_hacker666@yahoo.com

***************************************************

# milw0rm.com [2008-12-05]