Auxilium RateMyPet Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in Auxilium RateMyPet within the banner upload feature of upload_banners.php. This issue allows remote attackers to upload malicious PHP files because the feature does not properly validate file types or require authentication. The uploaded files are stored in a web-accessible /banners/ directory, where they can be executed directly, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, access the upload_banners.php script located in the admin/sitebanners/ directory. Upload a file through the banner upload feature. The uploaded file can be a PHP script, which will be stored in the /banners/ directory. After the upload, the file can be accessed via the web, where it will execute any contained PHP code. This exploitation can be automated using the Metasploit Framework, where the auxiliary module 'auxilium_upload_exec' handles the upload and execution of a PHP payload.