Arbitrary PHP Script Execution in phpMyBackupPro 2.5 and Earlier

Arbitrary PHP Script Execution in phpMyBackupPro 2.5 and Earlier

CVE-2015-3640 · MEDIUM Severity

AV:N/AC:M/AU:S/C:P/I:P/A:P

phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.

Learn more about our Web App Pen Testing.