Unrestricted file upload vulnerability in add.asp in OzzyWork Gallery, possibly 2.0 and earlier, allows remote attackers to upload and execute arbitrary ASP files by removing the client-side security checks.