[原文]Unrestricted file upload vulnerability in uploader.php in Uploader 1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/.
The Uploader PHP application does not require authentication by default. This allows a malicous user to upload files and potentially execute arbitrary PHP code on the server.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Open the setup.php file in a text editor, change the value of the ADMIN[RequirePass] variable to 'Yes', and specify a strong password for the ADMIN[Password] variable. For additional security, change the upload directory to an absolute path pointing outside of the web root.