onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the New File screen

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the New File screen

access http://fragrant:30001/OneFileCMS/onefilecms.php by username/password

![image](https://user-images.githubusercontent.com/22767054/42223064-6f53adea-7f09-11e8-8727-074ac65588db.png)

Click `New File` -> 123.php -> `Create`

![image](https://user-images.githubusercontent.com/22767054/42223124-973c9f38-7f09-11e8-8dd6-03cb62953bee.png)

![image](https://user-images.githubusercontent.com/22767054/42223160-acc07dde-7f09-11e8-8aca-cdc0365abb24.png)

Click `SAVE CHANGES` -> access http://fragrant:30001/123.php  


![image](https://user-images.githubusercontent.com/22767054/42223392-3a3838aa-7f0a-11e8-8755-b12dc01e9547.png)





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the New File screen #47

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

onefilecms.php in OneFileCMS through 2017-10-09 might allow attackers to execute arbitrary PHP code via xxx .php filename on the New File screen #47

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions