Reported to MyCERT with the following ticket number: MyCERT-201206271021640
Tested and verified on 06/27/2012 00:30 (GMT +8)
Original report :-
##################################################
# Exploit Title: IMCE Mkdir <== Remote File Upload Vulnerability
# Date: 27/06/2012
# Author: Fahmi Fisal
# Web/Blog: http://justryuz.blogspot.com
# Category: webapps
# version: -
# Vendor or Software Link: http://drupal.org/project/imce_mkdir
# Google dork: inurl:"/imce?dir=" intitle:"File Browser"
# Tested on: Linux
##################################################
[~]Exploit/p0c :
Comments
Comment #1
ufku CreditAttribution: ufku commentedIt's not a bug with the module or Drupal. It's some administrators giving anonymous users access to IMCE with a profile that has upload permissions. Unfortunately, that's not limited with IMCE. You can find lots of sites where anonymous users can access to administration interfaces. Ex: search inurl:"admin/build/modules".
It's all about permissions given to anonymous users.