onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the Upload File screen

access http://fragrant:30001/OneFileCMS/onefilecms.php by username/password

![image](https://user-images.githubusercontent.com/22767054/42224170-04f09de8-7f0c-11e8-8824-7134c8a954ef.png)


Click `Upload File` -> abc.php -> `Browse` -> select abc.php -> Click `Upload`

![image](https://user-images.githubusercontent.com/22767054/42224282-46d3774e-7f0c-11e8-9e14-d8b31afad85c.png)

![image](https://user-images.githubusercontent.com/22767054/42224306-54d2b40e-7f0c-11e8-8c42-2c78e4622f07.png)


access http://fragrant:30001/abc.php 

![image](https://user-images.githubusercontent.com/22767054/42224341-686439d4-7f0c-11e8-94c1-ad0f34ff1e76.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the Upload File screen #48

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the Upload File screen #48

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions