Choi Min-Sung

**Name of the Vulnerable Software and Affected Versions** Zeroboard version 4.1 pl8 **Description** The issue allows remote attackers to bypass restrictions for uploading files with executable extensions. This is achieved by uploading a .htaccess file that includes an AddType directive, which assigns an executable module to files with assumed-safe extensions. For example, an attacker can assign the `txt` extension to be handled by `application/x-httpd-php`, effectively making .txt files executable. **Recommendations** For Zeroboard version 4.1 pl8, consider disabling the upload of .htaccess files or restricting the use of the AddType directive in .htaccess files to prevent exploitation. Additionally, restrict access to the `write ok.php` file to minimize the risk of uploading malicious files.