Frog CMS 0.9.5 - Arbitrary File Upload

Author: Javid Hussain
type: webapps
platform: php
port: 
date_added: 2014-07-08 
date_updated: 2014-07-08 
verified: 1 
codes: OSVDB-108949;CVE-2014-4912 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-07-08-at-73943-pm.png 
application_url: http://www.exploit-db.comfrog_095.tar.gz

Exploit Title: Arbitrary File Upload in Frog CMS 0.9.5
Date : 2014-07-07
Exploit Author : Javid Hussain
Vendor Homepage : http://www.madebyfrog.com

# Exploit-DB Note: All authenticated users can upload files. If the file
# does not have execute permissions the CMS allows users to change them.
# No need to be authenticated to trigger uploaded files.

There is a possibility to upload arbitrary file in Frog CMS latest version
0.9.5

POC:

The vulnerability exist because of the filemanager plugin is not properly
verifying the extension of uploaded files.

Go to     http://localhost/frog_095/admin/?/plugin/file_manager/images

Upload an executable php file

Go to     http://localhost/Frog/frog_095/public/images/

for verification.