Digi Online Examination System 2.0 - Unrestricted Arbitrary File Upload

Author: Halil Dalabasmaz
type: webapps
platform: php
port: 80.0
date_added: 2014-11-13  
date_updated: 2014-11-13  
verified: 1  
codes: OSVDB-114604;CVE-2014-8997  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 35223.txt  

# Exploit Title:  Digi Online Examination System Unrestricted File Upload Vulnerability
# Date: 12-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v2.0
# Software Link: http://codecanyon.net/item/digi-online-examination-system-does/8610180
# Software Test Link: http://s1.digitalvidhya.com/doesv2/

# Vulnerabilities Description:

===Unrestricted File Upload===
You can upload your shell from "Photo" section while register the system. And then chekc your shell from here; http://example.com/assets/uploads/images/shellname.php

=Solution=
Filter the files aganist to attacks.