PT-2013-41: Arbitrary Code Execution in Ajax File and Image Manager

Vulnerable software

Ajax File and Image Manager
Version: 1.1 and earlier


Severity level

Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote

CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE: not assigned

Software description

Ajax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.

Vulnerability description

The specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.

Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.

Vulnerability exploitation example:

Send the following requests simultaneously:


Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg


Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/jpeg

<FilesMatch ".(php)$">
Allow from all

This will also create the following files in the /targethost/images/banner directory:
.htaccess with

How to fix

No solution

Advisory status

20.06.2013 - Vendor gets vulnerability details
04.09.2013 - Vulnerability details were sent to CERT
17.09.2013 - Public disclosure


The vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: