Unrestricted file upload in Simple File Upload - CVE-2011-5148
Published: March 24, 2017 / Updated: September 14, 2018
Vulnerability identifier: #VU6169
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2011-5148
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Anders Wasen
Affected software:
Simple File Upload
Simple File Upload
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The weakness exists due to the improper validation of file extensions by the index.php script. A remote attacker can send a specially-crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
The weakness exists due to the improper validation of file extensions by the index.php script. A remote attacker can send a specially-crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
How to mitigate CVE-2011-5148
Update to version 1.3.5.