cbcvebase.
CVE-2008-7209
published 2009-09-11

CVE-2008-7209: Unrestricted file upload vulnerability in the add2 action in a_upload.php in OneCMS 2.4, and possibly earlier, allows remote attackers to execute arbitrary…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.01%
92.4th percentile
Unrestricted file upload vulnerability in the add2 action in a_upload.php in OneCMS 2.4, and possibly earlier, allows remote attackers to execute arbitrary code by uploading a file with an executable extension and using a safe content type such as image/gif, then accessing it via a direct request to the file in an unspecified directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
insane_visionsonecms<= 2.4

Detection & IOCsextracted from sources · hover to see the quote

url/OneCMS_v2.4/a_upload.php?view=add2
url/OneCMS_v2.4/staff.php?user=aaa' union select 1,username,password,1,1,1,1,1,1,1,1,1,1 from onecms_users/*
patha_upload.php
patha_login.php
pathstaff.php
  • Detect arbitrary file upload bypass: attacker uploads a file with an executable extension (e.g., .php) while spoofing the Content-Type as image/gif, image/jpeg, image/bmp, or image/png to pass the server-side type check in a_upload.php.
  • Detect SQL injection authentication bypass in login: monitor POST requests to a_login.php where the username field contains SQL metacharacters such as single quotes and comment sequences (e.g., admin' or 1=1 /*).
  • Detect SQL injection in staff.php via the 'user' GET parameter: look for UNION SELECT payloads targeting onecms_users table, especially when magic_quotes_gpc is Off.
  • Detect exploitation cookie pattern: requests to a_upload.php with a cookie containing SQL injection payload in the username field (e.g., username=admin'or 1=1/*) combined with a multipart file upload of a .php file.
  • The vulnerable upload copies the file directly to the server path using the attacker-controlled filename without sanitization: monitor for newly created .php (or other executable) files in the upload directory following a POST to a_upload.php?view=add2.
  • ·The SQL injection in staff.php (user parameter) only works when magic_quotes_gpc is Off on the server; environments with magic_quotes_gpc enabled are not vulnerable to that specific vector.
  • ·The file upload vulnerability relies solely on the client-supplied Content-Type header for validation; the server does not verify actual file content, meaning any executable file disguised with an image MIME type will be accepted.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.