CVE-2012-4472

Name of the Vulnerable Software and Affected Versions Drag & Drop Gallery module versions 6.x-1.5 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter. This is made possible by an unrestricted file upload vulnerability in the upload.php file.

Recommendations For Drag & Drop Gallery module versions 6.x-1.5 and earlier, consider disabling the upload.php file or restricting file uploads to prevent exploitation until a fix is available. Restrict access to the directory specified by the filedir parameter to minimize the risk of arbitrary PHP code execution.