module
October CMS Upload Protection Bypass Code Execution
| Disclosed |
|---|
| Apr 25, 2017 |
Disclosed
Apr 25, 2017
Description
This module exploits an Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.