cbcvebase.
CVE-2008-6731
published 2009-04-20

CVE-2008-6731: Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
5.73%
92.1th percentile
Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the renamed file in linkphoto/.

Affected

1 ranges
VendorProductVersion rangeFixed in
china-on-siteflexphplink

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor POST requests to /submitlink.php containing multipart file uploads where the uploaded filename has an executable PHP extension (e.g., .php), indicating exploitation of the unrestricted file upload vulnerability.
  • Alert on GET requests to /linkphoto/*.php containing query parameters ?cmd= or ?adm=get, which are the backdoor's remote command execution and credential disclosure triggers.
  • Detect the presence of the string 'RCE backdoor' in HTTP responses from the /linkphoto/ directory, which is the unique marker embedded in the uploaded webshell payload.
  • The exploit renames the uploaded file using a Unix timestamp as the filename (e.g., /linkphoto/1234567890.php). Monitor for numerically-named .php files appearing in the /linkphoto/ directory.
  • The multipart POST to submitlink.php uses the field name 'userfile' with a filename of '.php' to smuggle the PHP backdoor. Inspect multipart Content-Disposition headers for this pattern.
  • ·The exploit confirms successful upload by checking the HTTP response body for the string 'Thank you for your submission'. This string may vary across versions or localizations of FlexPHPLink Pro.
  • ·The vulnerability is specific to FlexPHPLink Pro version 0.0.7. Other versions are not confirmed affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.