Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Simplicity oF Upload Vendors:
Simplicity oF Upload Lets Remote Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID:  1014591
SecurityTracker URL:
CVE Reference:   CVE-2005-2607   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jul 28 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.3
Description:   rgod reported a vulnerability in Simplicity oF Upload. A remote user can upload and then execute arbitrary code on the target system.

The script does not properly validate user-supplied input in the 'language' parameter. A remote user can supply a specially crafted parameter value ending in a null byte (%00) to include arbitrary local files.

A remote user can submit the following URL to cause both the download and upload pages to load at the same time:


This allows the remote user to upload a file that contains arbitrary PHP code but has a filename that appears to be an image file (e.g., 'cmd.gif'). A demonstration exploit file is provided:




Then, the remote user can invoke the uploaded file to execute arbitrary commands on the target system with the privileges of the target web service. A demonstration exploit URL is provided:


A remote user can also supply a specially crafted URL that, when loaded by the target user, will redirect the target user to another web page:


Impact:   A remote user can upload arbitrary code to the target system and then have the web server execute the code.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Simplicity OF Upload 1.3 (possibly prior versons) remote code execution & cross site scripting

Simplicity OF Upload 1.3 (possibly prior versons) remote code execution
& cross site scripting
author site:

remote commands execution:
problem at line 25-30:
//check for language overriding..
if (isset($_GET['language']))
   $language = strtolower($_GET['language']);
//now we include the language file
you can include whatever adding a null byte to "language" parameter value:
you will see upload & download page together :)
so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...)  file with this php code inside to execute
then try this url:
to list directories
to show /etc/passwd file
cross site scripting:
also, a remote user can supply a specially crafted URL to redirect other people
to an evil page:
"Powered By: Simplicity oF Upload"

email: rgod[at]
original advisory:
 FREE Emoticons for your email! Click Here!                                        

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC