Arbitrary PHP Code Execution via Null Byte in File Name in Drupal 6.x and 7.x
CVE-2012-5653 · MEDIUM Severity
AV:N/AC:M/AU:S/C:P/I:P/A:P
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
Learn more about our User Device Pen Test.