Arbitrary PHP Code Execution via Unrestricted File Upload in Drag & Drop Gallery Module for Drupal
CVE-2012-4472 · MEDIUM Severity
AV:N/AC:H/AU:N/C:P/I:P/A:P
Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter.
Learn more about our Web Application Penetration Testing UK.