CVE-2012-1468 Information

Description

Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not .php\ then accessing it via a direct request to the file in submission/original/ in the associated article directory as demonstrated using .pHp .asp and other extensions.

Reference

http://pkp.sfu.ca/ojs/RELEASE-2.3.7 http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431 https://www.htbridge.com/advisory/HTB23079