ProjeQtor 4.5.2 Shell Upload

Posted on 29 September 2015

Vulnerability title: Arbitrary File Upload In ProjeQtor CVE: Not yet assigned Vendor: ProjeQtor Product: ProjeQtor Affected version: 4.5.2 Fixed version: 4.5.3 Reported by: Arturo Rodriguez Details: It was discovered that authenticated users were able to upload files with extensions: php3, php4, php5 or phtml to the web server. As a project member, go to Tickets > Create a new ticket > attach a php5 file and then go to http://<<projeqtorpath>>/files/attach/attachement_<<id>>/<<filename>>.php5 to execute the php code. example: http://localhost/projeqtor/files/attach/attachement_6/backdoor.php5?cmd=cat%20/etc/passwd Impact: An attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20