CVE-2006-4581

Step 1: Craft Malicious Payload: The attacker creates a PHP script containing malicious code, such as a web shell or code to execute system commands. Step 2: Disguise the Payload: The attacker renames the PHP script to have a legitimate-looking file extension (e.g., .jpg, .gif) and potentially modifies the file's contents to appear as a valid image or other acceptable file type. Step 3: Upload the Malicious File: The attacker uses a web browser or a tool like curl to upload the crafted file to the vulnerable application. The attacker sets the Content-Type HTTP header to a value that the application accepts (e.g., image/jpeg). Step 4: Bypass Validation: The application validates the Content-Type header but fails to validate the file extension. Therefore, the upload is successful. Step 5: Locate the Uploaded File: The attacker determines the location where the file was uploaded (e.g., by examining the application's code or through trial and error). Step 6: Execute the Payload: The attacker accesses the uploaded file via a web request (e.g., http://example.com/uploads/malicious.jpg). The web server, interpreting the file as PHP code due to the .php extension (even if disguised), executes the malicious script.

The vulnerability stems from insufficient input validation. The application checks the Content-Type HTTP header during file upload but fails to validate the file extension. This allows attackers to upload PHP scripts disguised with a legitimate Content-Type (e.g., image/jpeg) but with a .php extension. The application then stores the uploaded file, making it accessible via a web request. When the attacker accesses the uploaded file, the PHP interpreter executes the malicious code.