#VU6169 Unrestricted file upload in Simple File Upload - CVE-2011-5148
Published: March 24, 2017 / Updated: September 14, 2018
Vulnerability identifier: #VU6169
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2011-5148
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Simple File Upload
Simple File Upload
Software vendor:
Anders Wasen
Anders Wasen
Description
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The weakness exists due to the improper validation of file extensions by the index.php script. A remote attacker can send a specially-crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
The weakness exists due to the improper validation of file extensions by the index.php script. A remote attacker can send a specially-crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Remediation
Update to version 1.3.5.