This is a detailed technical writeup describing a PHP command injection vulnerability in CF Image Host 1.65-1.6.6. The vulnerability allows authenticated attackers to inject malicious PHP code into the 'Site Title' or 'Site Slogan' fields, which is then stored in 'set.php' and executed when certain tabs are accessed.
Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:CF Image Host 1.65 - 1.6.6
Auth required
Prerequisites:Access to the admin panel · Valid credentials