Informations : °°°°°°°°°°°°° Language : PHP Version : 6.7 Website : http://www.phpnuke.org Problem : File Upload PHP Code/Location : °°°°°°°°°°°°°°°°°°° modules/WebMail/mailattach.php : ------------------------------------------------------------------------------------------------------------------- if (isset($userfile) AND $userfile != "none" AND !ereg("/", $userfile) AND !ereg("\.\.", $userfile) AND !ereg("%", $userfile)) { if (ini_get(file_uploads) AND $attachments == 1) { $updir = "tmp"; @copy($userfile, "$updir/$userfile_name"); @unlink($userfile); } } ------------------------------------------------------------------------------------------------------------------- Exploit : °°°°°°° Anyone can choose the path, the name and the extention of a file to upload. Here the file is saved into http://[target]/modules/AvantGo/language/bad.php and can be included and executed with the URL http://[target]/modules.php?name=AvantGo&file=langague/bad :