#18 Arbitrary File Upload Vulnerability

[wilson alves da silva]

[PORTUGUESE] - O Sistema nos permite fazer o upload de qualquer tipo de arquivo sem sequer filtro ou restrição de diretório. Um atacante pode fazer o upload de um arquivo malicioso, tipo phpinfo.php, e acessá-lo via navegador.

[ENGLISH] - The system allows us to upload any type of file without any filter and without restriction directory. An attacker could upload a malicious file, e.g phpinfo.php, and access it via browser.

[Simonas Juodelis]

But that's the purpose of this program - upload and manage ALL TYPES of files on the server! :)

[wilson alves da silva]

Ok, thanks a lot

2014/1/11 Simonas Juodelis simasj@users.sf.net

But that's the purpose of this program - upload and manage ALL TYPES of
files on the server! :)

---

• [bugs:#18] http://sourceforge.net/p/phpfm/bugs/18/ Arbitrary File
  Upload Vulnerability*

Status: open
Created: Sat Jan 11, 2014 03:56 PM UTC by wilson alves da silva
Last Updated: Sat Jan 11, 2014 03:56 PM UTC
Owner: nobody

[PORTUGUESE] - O Sistema nos permite fazer o upload de qualquer tipo de
arquivo sem sequer filtro ou restrição de diretório. Um atacante pode fazer
o upload de um arquivo malicioso, tipo phpinfo.php, e acessá-lo via
navegador.

[ENGLISH] - The system allows us to upload any type of file without any
filter and without restriction directory. An attacker could upload a
malicious file, e.g phpinfo.php, and access it via browser.

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/phpfm/bugs/18/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Fabrício Seger Kolling]

Hi Wilson, Simonas Juodelis is right. The script is meant for administrators, and any file can be uploaded. Even so, you can search for the upload function and set your file extension limitations.