blackguerilla / clients-oriented-ftp

Automatically exported from code.google.com/p/clients-oriented-ftp
0 stars 0 forks source link

Arbitrary File Upload #533

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Twice a subdomain of one of my clients where I installed ProjectSend r561 was 
hacked and being able to create a folder (emails/admin.php) from which they 
were sent spam ! 
How was it possible?

This bug was found (see screenshot of cxsecurity.com) in ProjectSend r561.
It has been resolved in some way?

Thanks

Original issue reported on code.google.com by lorenzod...@gmail.com on 5 May 2015 at 9:10

Attachments:

GoogleCodeExporter commented 9 years ago
This is code to hack!
http://packetstormsecurity.com/files/129759/ProjectSend-Arbitrary-File-Upload.ht
ml

Original comment by lorenzod...@gmail.com on 5 May 2015 at 10:34

GoogleCodeExporter commented 9 years ago
I think this is a VERY BIG BUG!!
None of you have come across and has a fix it??

Thanks

Original comment by lorenzod...@gmail.com on 13 May 2015 at 11:26

GoogleCodeExporter commented 9 years ago
Hi Lorenzo, the author has not updated a fix, however this may work: 
https://github.com/ignacionelson/ProjectSend/blob/master/process-upload.php

Original comment by Ner...@gmail.com on 19 May 2015 at 6:09

GoogleCodeExporter commented 9 years ago
Oh, also good to disable code execution in the upload and temp upload folder.

Original comment by Ner...@gmail.com on 19 May 2015 at 6:10