onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the Upload File screen - Githubissues

Self-Evident / OneFileCMS

A single file cms - all in one file!

http://onefilecms.com/

165 stars 57 forks source link

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the Upload File screen #48

Open havysec opened 6 years ago

havysec commented 6 years ago

access http://fragrant:30001/OneFileCMS/onefilecms.php by username/password

Click Upload File -> abc.php -> Browse -> select abc.php -> Click Upload

access http://fragrant:30001/abc.php