This document details an arbitrary file upload vulnerability in Air Drive Plus v2.4 iOS, where the `filename` parameter in the `Upload` module can be manipulated to inject malicious files. The vulnerability allows remote attackers to compromise the mobile web-application via crafted POST requests.
Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target:Air Drive Plus v2.4 iOS
No auth needed
Prerequisites:Network access to the vulnerable application · Ability to send crafted POST requests