Input passed via the "name" and "HTTP_RAW_POST_DATA" parameters to "ofc_upload_image.php" is not sanitized. This can be exploited to create arbitrary PHP files with the .php extension that can be remotely executed.

OSVDB is not currently aware of a solution for this vulnerability.

• Exploit Database: 10532 24969
• CVE ID: 2009-4140 (see also: NVD)
• Secunia Advisory ID: 37078 37903 37911 41402 41456 43228 43248 53121 53158 53177
• Bugtraq ID: 37314
• ISS X-Force ID: 53825
• VUPEN Advisory: ADV-2009-2966
• Vendor Specific Advisory URL: http://civicrm.org/blogs/totten/advisory-openflashchart-attacks
  http://piwik.org/blog/2009/10/piwik-response-to-secunia-advisory-sa37078/
  http://www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/
• Packet Storm: http://packetstormsecurity.com/files/121377/Janissaries-Joomla-Civicrm-Shell-Upload.html
• Other Advisory URL: http://packetstormsecurity.org/0910-exploits/piwik-upload.txt
  http://www.autosectools.com/Advisories/CiviCRM.3.3.3.Drupal-Joomla_Reflected.Cross-site.Scripting_102.html
  http://www.autosectools.com/Advisories/CiviCRM.3.3.3.Drupal-Joomla_Reflected.Cross-site.Scripting_102.html
  http://www.openwall.com/lists/oss-security/2009/12/14/1
  http://www.openwall.com/lists/oss-security/2009/12/14/3
• Vendor Specific Solution URL: http://plugins.trac.wordpress.org/changeset/702346/open-flash-chart-core-wordpress-plugin
• Mail List Post: http://seclists.org/oss-sec/2009/q4/267
• Vendor URL: http://teethgrinder.co.uk/open-flash-chart/
• News Article: http://torrentfreak.com/hackers-target-and-exploit-pirate-bay-ad-server-100913/
  http://www.h-online.com/open/news/item/Year-old-vulnerability-endangers-OpenX-ad-server-1078115.html
• Vendor Specific News/Changelog Entry: http://wordpress.org/extend/plugins/formidable/changelog/
  http://wordpress.org/extend/plugins/open-flash-chart-core-wordpress-plugin/changelog/
  http://wordpress.org/extend/plugins/woopra/changelog/

• Braeden Thomas