CVE-2014-9567

Name of the Vulnerable Software and Affected Versions ProjectSend (formerly cFTP) versions r100 through r561

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory. This is due to an unrestricted file upload vulnerability in the process-upload.php file.

Recommendations For versions r100 through r561, restrict access to the upload/files/ and upload/temp/ directories to prevent direct requests to uploaded files. As a temporary workaround, consider disabling the file upload functionality in process-upload.php until a patch is available.