CVE-2009-4819

PHPhotoalbum - Unauthenticated Arbitrary File Upload via Double Extension Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4819. PoCs published by wlhaan hacker.

AI-analyzed exploit summary This is a writeup describing a file upload vulnerability in PHPhotoalbum, allowing attackers to bypass file extension restrictions by appending '.pgif' or '.pjpeg' to PHP files. The exploit involves uploading a malicious PHP file and accessing it to achieve remote code execution.

Description

Multiple unrestricted file upload vulnerabilities in upload.php in PHPhotoalbum allow remote attackers to execute arbitrary code by uploading a file with a (1) .php.pgif or (2) .php.pjpeg double extension, then accessing it via a direct request to the file in albums/userpics/.

Exploits (1)

exploitdb WRITEUP VERIFIED
by wlhaan hacker · textwebappsphp
https://www.exploit-db.com/exploits/10584

This is a writeup describing a file upload vulnerability in PHPhotoalbum, allowing attackers to bypass file extension restrictions by appending '.pgif' or '.pjpeg' to PHP files. The exploit involves uploading a malicious PHP file and accessing it to achieve remote code execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHPhotoalbum (version not specified)
No auth needed
Prerequisites: Target running PHPhotoalbum with vulnerable upload functionality · Ability to upload files to the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10584
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54958
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37436

Scores

EPSS 0.0334
EPSS Percentile 87.1%

Details

Status published
Products (3)
stoverud/phphotoalbum 0.3
stoverud/phphotoalbum 0.4
stoverud/phphotoalbum 0.5
Published Apr 27, 2010
Tracked Since Feb 18, 2026