Arbitrary file upload in OptimizePress - CVE-2013-7102
Published: January 16, 2017 / Updated: March 11, 2017
Vulnerability identifier: #VU4750
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2013-7102
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: OptimizePress
Affected software:
OptimizePress
OptimizePress
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The weakness exists due to improper validation of file extensions in "lib/admin/media-upload.php" script. A remote attacker can create a specially crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.
The weakness exists due to improper validation of file extensions in "lib/admin/media-upload.php" script. A remote attacker can create a specially crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.
How to mitigate CVE-2013-7102
Install update from vendor's website.