CVE-2008-6731
published 2009-04-20CVE-2008-6731: Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
5.73%
92.1th percentile
Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the renamed file in linkphoto/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| china-on-site | flexphplink | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /submitlink.php containing multipart file uploads where the uploaded filename has an executable PHP extension (e.g., .php), indicating exploitation of the unrestricted file upload vulnerability. ↗
- →Alert on GET requests to /linkphoto/*.php containing query parameters ?cmd= or ?adm=get, which are the backdoor's remote command execution and credential disclosure triggers. ↗
- →Detect the presence of the string 'RCE backdoor' in HTTP responses from the /linkphoto/ directory, which is the unique marker embedded in the uploaded webshell payload. ↗
- →The exploit renames the uploaded file using a Unix timestamp as the filename (e.g., /linkphoto/1234567890.php). Monitor for numerically-named .php files appearing in the /linkphoto/ directory. ↗
- →The multipart POST to submitlink.php uses the field name 'userfile' with a filename of '.php' to smuggle the PHP backdoor. Inspect multipart Content-Disposition headers for this pattern. ↗
- ·The exploit confirms successful upload by checking the HTTP response body for the string 'Thank you for your submission'. This string may vary across versions or localizations of FlexPHPLink Pro. ↗
- ·The vulnerability is specific to FlexPHPLink Pro version 0.0.7. Other versions are not confirmed affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://secunia.com/advisories/33343http://www.osvdb.org/53187http://www.securityfocus.com/bid/33034https://exchange.xforce.ibmcloud.com/vulnerabilities/47614https://www.exploit-db.com/exploits/7600http://secunia.com/advisories/33343http://www.osvdb.org/53187http://www.securityfocus.com/bid/33034https://exchange.xforce.ibmcloud.com/vulnerabilities/47614https://www.exploit-db.com/exploits/7600
2009-04-20
Published