cbcvebase.
CVE-2008-4509
published 2008-10-09

CVE-2008-4509: Unrestricted file upload vulnerability in processFiles.php in FOSS Gallery Admin and FOSS Gallery Public 1.0 beta allows remote attackers to execute arbitrary…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.66%
93.8th percentile
Unrestricted file upload vulnerability in processFiles.php in FOSS Gallery Admin and FOSS Gallery Public 1.0 beta allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the root directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
foss_galleryfoss_gallery

Detection & IOCsextracted from sources · hover to see the quote

pathprocessFiles.php
urlhttp://<host>/processFiles.php
urlhttp://localhost/shell.php
  • Detect multipart/form-data POST requests to processFiles.php containing the fields 'uploadNeed' and 'uploadFile0' with a non-image (e.g., .php) file extension in the uploaded filename.
  • Alert on HTTP GET requests to PHP files (e.g., shell.php, c99.php) placed in the web root immediately after a POST to processFiles.php, indicating successful webshell upload and execution.
  • Detect c99 webshell command execution pattern in HTTP requests: query string containing 'act=cmd' combined with 'cmd_txt=1&submit=Execute' targeting an uploaded PHP file in the web root.
  • Flag the response string 'uploaded sucessful' (note the typo) in HTTP responses from processFiles.php as a confirmation indicator of successful arbitrary file upload exploitation.
  • ·The vulnerability affects both FOSS Gallery Admin and FOSS Gallery Public 1.0 beta. The upload endpoint processFiles.php is shared between both products, so detection rules should not be scoped to only one variant.
  • ·Uploaded files land directly in the web root (root directory), not a sandboxed upload folder, making them immediately web-accessible and executable by the server.
  • ·No server-side image format validation is performed; any file extension is accepted. Detection must cover all executable extensions (.php, .php5, .phtml, etc.), not just .php.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.