CVE-2008-4509

FOSS Gallery 1.0 beta - Unauthenticated Arbitrary File Upload via processFiles.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-4509. PoCs published by Pepelux, JosS.

AI-analyzed exploit summary This is a writeup describing an arbitrary file upload vulnerability in FOSS Gallery Public Version <= 1.0. The vulnerability allows attackers to upload PHP files due to lack of proper file format validation in processFiles.php.

Description

Unrestricted file upload vulnerability in processFiles.php in FOSS Gallery Admin and FOSS Gallery Public 1.0 beta allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the root directory.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Pepelux · textwebappsphp
https://www.exploit-db.com/exploits/6680

This is a writeup describing an arbitrary file upload vulnerability in FOSS Gallery Public Version <= 1.0. The vulnerability allows attackers to upload PHP files due to lack of proper file format validation in processFiles.php.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FOSS Gallery Public Version <= 1.0
No auth needed
Prerequisites: Access to the upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JosS · perlwebappsphp
https://www.exploit-db.com/exploits/6674

This exploit targets FOSS Gallery Public <= 1.0, allowing arbitrary file upload via a vulnerable endpoint (`processFiles.php`). It uploads a PHP shell (default: `c99.php`) and executes commands to retrieve system information.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FOSS Gallery Public <= 1.0
No auth needed
Prerequisites: Network access to the target · Vulnerable version of FOSS Gallery Public
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pepelux · pythonwebappsphp
https://www.exploit-db.com/exploits/6670

This exploit leverages an arbitrary file upload vulnerability in FOSS Gallery Admin Version <= 1.0 by bypassing authentication checks in the upload process. It directly POSTs to processFiles.php, allowing an attacker to upload any file, including a malicious shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FOSS Gallery Admin Version <= 1.0
No auth needed
Prerequisites: Network access to the target · processFiles.php accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31574
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45683
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6680
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4379
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6674
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6670

Scores

EPSS 0.0766
EPSS Percentile 93.8%

Details

CWE
CWE-20
Status published
Products (1)
foss_gallery/foss_gallery 1.0 beta (2 CPE variants)
Published Oct 09, 2008
Tracked Since Feb 18, 2026