#Title : phpMyFAQ 2.8.x Arbitrary File Upload Vulnerabillity

#Author : DevilScreaM

#Date : 10/26/2013

#Category : Web Applications

#Type : PHP

#Vendor : http://phpmyfaq.de/

#Version : 2.8.x

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
 	  Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Vulnerabillity : Arbitrary File Upload

#Dork : intext:powered by phpMyFAQ 


Exploit & POC

1. Login to Page Admin

Go to

http://site-target/admin/editor/plugins/ajaxfilemanager/ajaxfilemanager.php

2. Browse Your File, and Click Upload

Result Upload

http://site-target/images/[YOUR_FILE].txt


Example :

http://jen.demo.phpmyfaq.de/images/devilscream.txt
http://roy.demo.phpmyfaq.de/images/devilscream.txt