### Critical Vulnerability Information #### Vulnerability Overview - **Product Name**: eBlog Site - **Version**: V1.0 - **Vulnerability Type**: Arbitrary File Upload Leading to Arbitrary Code Execution - **Affected File**: /native/admin/save-slider.php #### Detailed Vulnerability Analysis - **Primary Vulnerability Location**: Lines 1 to 3 in the file /native/admin/save-slider.php. - **Vulnerable Code**: ```php $file_name = $_FILES['slider']['name']; $file_ext = substr($file_name, strpos($file_name, '.')); $prefix = "church_" . md5(time() . rand(1, 9999)); $path = "../uploads/slider/" . $prefix . $file_ext; // Check if file was successfully uploaded if (move_uploaded_file($_FILES['slider']['tmp_name'], $path)) { // Insert filename and other data into database $sql = "INSERT INTO slider (caption, file) VALUES (:a, :b)"; $q = $db->prepare($sql); $q->execute(array(':a' => $title, ':b' => $file_name_new)); if ($q) { header("location: add-slider.php?success=true"); } else { header("location: add-slider.php?fail=true"); } } ``` #### Root Cause Analysis - In /native/admin/save-slider.php, the uploaded file content is not filtered. Attackers can upload any file and access it, leading to arbitrary code execution. #### Example - An image shows a malicious PHP file being uploaded, and its name is visible on the /native/admin/all-slider.php page. - After accessing the file's URL, the execution result is shown, displaying a calculator interface.