phpFormGenerator Arbitrary File Upload

High Nessus Network Monitor Plugin ID 3678


The remote host is vulnerable to a Script Injection attack.


The remote host is running phpFormGenerator, a PHP-based tool for generating web forms. The version of phpFormGenerator installed on the remote host allows an unauthenticated attacker to create forms supporting arbitrary file uploads. This issue can then be leveraged to upload a file with arbitrary code and execute it subject to the privileges of the web server user ID.


No solution is known at this time.

See Also

Plugin Details

Severity: High

ID: 3678

File Name: 3678.prm

Family: CGI

Published: 2006/07/05

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 21918

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND


Base Score: 7.3

Temporal Score: 7.1


Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:musawir_ali:phpformgenerator

Reference Information

BID: 18768