Posted on 27 October 2008

//Title - Zubrag Uploader 1.0 Arbitrary Shell Upload Vulnerability //Vendor - zubrag.com/scripts/file-upload-form.php //Version - 1.0 //Status - vendor has been notified //Author - Dentrasi //Description It is possible to upload a php script to the remote site. The script attempts to hide the location of the file, by renaming it, but fails to do so. Assuming default settings, the file will be uploaded to: '/files/d41d8cd98f00b204e9800998ecf8427e.[extension]' The script is not vulnerable on php5 and above.