CVE-2007-5733

Japanese PHP Gallery Hosting - Unauthenticated Arbitrary File Upload via ServerPath Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5733. PoCs published by Pete Houston.

AI-analyzed exploit summary The provided text describes an arbitrary file upload vulnerability in Japanese PHP Gallery Hosting due to insufficient input sanitization. An attacker can exploit this to upload and execute arbitrary code on the server.

Description

Unrestricted file upload vulnerability in upload/upload.php in Japanese PHP Gallery Hosting, when Open directory mode is enabled, allows remote attackers to upload and execute arbitrary PHP code via a ServerPath parameter specifying a filename with a double extension. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Pete Houston · textwebappsphp
https://www.exploit-db.com/exploits/30703

The provided text describes an arbitrary file upload vulnerability in Japanese PHP Gallery Hosting due to insufficient input sanitization. An attacker can exploit this to upload and execute arbitrary code on the server.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Japanese PHP Gallery Hosting (versions prior to 10/2007)
No auth needed
Prerequisites: Access to the vulnerable upload endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/39015
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/3322
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/482676/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/26179

Scores

EPSS 0.0307
EPSS Percentile 86.9%

Details

CWE
CWE-20 CWE-94
Status published
Products (1)
japanese_php_gallery_hosting/japanese_php_gallery_hosting
Published Oct 30, 2007
Tracked Since Feb 18, 2026