Arbitrary PHP Code Execution through File Upload in TYPO3 6.0.x and 6.1.x

Arbitrary PHP Code Execution through File Upload in TYPO3 6.0.x and 6.1.x

CVE-2013-4250 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.

Learn more about our Web Application Penetration Testing UK.