qdPM myAccount Arbitrary File Upload Vulnerability


Description   loneferret has discovered a vulnerability in qdPM, which can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to application improperly verifying uploaded files when changing the profile image in myAccount. This can be exploited to execute arbitrary PHP code by uploading a PHP file.
The vulnerability is confirmed in version 7. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
qdPM 7.x
     
Solution   No official solution is currently available.
     
CVE  
     
References   http://www.exploit-db.com/exploits/19154/
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Upload of a PHP file in a vulnerable web application
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2012-09-14 

 Target Type 
Server 

 Possible exploit 
Remote