CVE-2008-7209
published 2009-09-11CVE-2008-7209: Unrestricted file upload vulnerability in the add2 action in a_upload.php in OneCMS 2.4, and possibly earlier, allows remote attackers to execute arbitrary…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.01%
92.4th percentile
Unrestricted file upload vulnerability in the add2 action in a_upload.php in OneCMS 2.4, and possibly earlier, allows remote attackers to execute arbitrary code by uploading a file with an executable extension and using a safe content type such as image/gif, then accessing it via a direct request to the file in an unspecified directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| insane_visions | onecms | <= 2.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/OneCMS_v2.4/staff.php?user=aaa' union select 1,username,password,1,1,1,1,1,1,1,1,1,1 from onecms_users/*↗
- →Detect arbitrary file upload bypass: attacker uploads a file with an executable extension (e.g., .php) while spoofing the Content-Type as image/gif, image/jpeg, image/bmp, or image/png to pass the server-side type check in a_upload.php. ↗
- →Detect SQL injection authentication bypass in login: monitor POST requests to a_login.php where the username field contains SQL metacharacters such as single quotes and comment sequences (e.g., admin' or 1=1 /*). ↗
- →Detect SQL injection in staff.php via the 'user' GET parameter: look for UNION SELECT payloads targeting onecms_users table, especially when magic_quotes_gpc is Off. ↗
- →Detect exploitation cookie pattern: requests to a_upload.php with a cookie containing SQL injection payload in the username field (e.g., username=admin'or 1=1/*) combined with a multipart file upload of a .php file. ↗
- →The vulnerable upload copies the file directly to the server path using the attacker-controlled filename without sanitization: monitor for newly created .php (or other executable) files in the upload directory following a POST to a_upload.php?view=add2. ↗
- ·The SQL injection in staff.php (user parameter) only works when magic_quotes_gpc is Off on the server; environments with magic_quotes_gpc enabled are not vulnerable to that specific vector. ↗
- ·The file upload vulnerability relies solely on the client-supplied Content-Type header for validation; the server does not verify actual file content, meaning any executable file disguised with an image MIME type will be accepted. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/51117http://sourceforge.net/forum/forum.php?forum_id=774946http://www.bugreport.ir/index_26.htmhttp://www.securityfocus.com/archive/1/485837/100/200/threadedhttp://www.securityfocus.com/archive/1/487136/100/200/threadedhttp://www.securityfocus.com/bid/27158http://www.vupen.com/english/advisories/2008/0081https://exchange.xforce.ibmcloud.com/vulnerabilities/39485https://www.exploit-db.com/exploits/4857http://osvdb.org/51117http://sourceforge.net/forum/forum.php?forum_id=774946http://www.bugreport.ir/index_26.htmhttp://www.securityfocus.com/archive/1/485837/100/200/threadedhttp://www.securityfocus.com/archive/1/487136/100/200/threadedhttp://www.securityfocus.com/bid/27158http://www.vupen.com/english/advisories/2008/0081https://exchange.xforce.ibmcloud.com/vulnerabilities/39485https://www.exploit-db.com/exploits/4857
2009-09-11
Published