alacerda/gist:8fd4557e585a8707e9d3b798968e24c1

## gistfile1.txt
[Suggested description]
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows
Unrestricted Upload of a File with a Dangerous Type.

------------------------------------------

[Additional Information]
Leaf Admin is a virtual appliance running a web application used to
manage Internet Service Providers (ISP). It controls which users are
enabled or disabled on the system (due to payment issues), connection
speed and financial heath of the ISPs.

------------------------------------------

[VulnerabilityType Other]
CWE-434: Unrestricted Upload of File with Dangerous Type

------------------------------------------

[Vendor of Product]
Leaf Tecnologias

------------------------------------------

[Affected Product Code Base]
Leaf Admin - 61.9.0212.10 f

------------------------------------------

[Affected Component]
Profile photo upload

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
To exploit this vulnerability someone must have a user on the system
(any privilege level) and instead of uploading a image to his/her
profile, just upload a malicious .php file.

------------------------------------------

[Reference]
http://leaftecnologia.com.br/
http://intruderlabs.com.br/

------------------------------------------

[Discoverer]
Velocista - Intruderlabs (br) team
	[Suggested description]
	The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows
	Unrestricted Upload of a File with a Dangerous Type.

	------------------------------------------

	[Additional Information]
	Leaf Admin is a virtual appliance running a web application used to
	manage Internet Service Providers (ISP). It controls which users are
	enabled or disabled on the system (due to payment issues), connection
	speed and financial heath of the ISPs.

	------------------------------------------

	[VulnerabilityType Other]
	CWE-434: Unrestricted Upload of File with Dangerous Type

	------------------------------------------

	[Vendor of Product]
	Leaf Tecnologias

	------------------------------------------

	[Affected Product Code Base]
	Leaf Admin - 61.9.0212.10 f

	------------------------------------------

	[Affected Component]
	Profile photo upload

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit this vulnerability someone must have a user on the system
	(any privilege level) and instead of uploading a image to his/her
	profile, just upload a malicious .php file.

	------------------------------------------

	[Reference]
	http://leaftecnologia.com.br/
	http://intruderlabs.com.br/

	------------------------------------------

	[Discoverer]
	Velocista - Intruderlabs (br) team