A vulnerability was found in Netartmedia Car Portal 3.0. It has been classified as critical. Affected is an unknown part of the file php%00.jpg of the component File Upload. The manipulation with an unknown input leads to a remote code execution vulnerability. CWE is classifying the issue as CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Unrestricted file upload vulnerability in NetArt Media Car Portal 3.0 allows remote attackers to execute arbitrary PHP code by uploading a file a double extension, as demonstrated by .php%00.jpg.

The weakness was disclosed 01/23/2013 by STORM (Website). The advisory is available at vulnerability-lab.com. This vulnerability is traded as CVE-2012-6509 since 01/23/2013. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known. This vulnerability is assigned to T1608.002 by the MITRE ATT&CK project.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at Exploit-DB (18801) and SecurityFocus (BID 53267†). The entries VDB-63403 and VDB-63401 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Netartmedia

Name

• Car Portal

Version

• 3.0

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion