XHP CMS v.0.5 File Upload Security Vulnerability

Description
Access to the filemanager plugins "inc/htmlarea/plugins/FileManager/manager.php" and "inc/htmlarea/plugins/FileManager/standalonemanager.php" is not properly restricted. This can e.g. be exploited to upload and execute malicious PHP scripts.

Confirmed in version 0.5. Other versions may also be affected.

Impact
This can be exploited to upload arbitrary files to a location inside the web root (e.g. a PHP script).

References
Secunia SA19353
Product Homepage

Articles on Website Security

White Papers on Web security