My biggest mistake was that I didn't check the file extension of a uploaded file. Or more correctly forgot that I turned it off for debugging and pushed the app to production.

Somebody noticed an uploaded a hacker php script and got access to all the files on the server. Including some semi sensetive clients information.

A talk with the client that followed was not a pleasant one

c99.php? (or one of its siblings) I remember finding that whilst doing a freelance audit for a image hosting site vulnerable to LFI & RFI (basically you could upload any php script if you rename it `my-legit-photo-nothing-suspicious.png` and the server would just run the script.

Damn that was years ago.. I wonder what the equivalent is today. I'd bet you good money someone out the has a nice box-decimating dashboard with a pretty minimalistic, responsive material design powered by react, redux, and of course developer's tears.

I knew of a guy who supposedly made several grand selling script kiddies a mod of c99 (which src was public) tht had jQuery plugins inlined.
"use a file browser on their victim!" It even had a progress bar animation!

Totally worth 30$, right?

yo I was in an irc with a l33t haxor once watchout

@rozzzly yup it was c99.php