Back to list
imageVue16.1 upload vulnerability
Feb 11 2006 02:58PM
zjieb hotmail com
ImageVue is an online Flash gallery for viewing images. For more information about ImageVue visit http://www.imagevuex.com
In ImageVue one can upload images to the Gallery. The upload-script however isn't checking credentials nor does it check file extensions i.e. it's possible for any user to upload any file as long as the 'right' permissions have been set for the uploading folder.
1) check folder permissions
An XML-document is shown containing all folders and their permissions.
2) upload a file to a folder from the XML
Now you're ready to upload any file.
1) view dir listings
2) querystring is passed to style and body
[ reply ]
Copyright 2010, SecurityFocus