Kordil EDMS Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in Kordil EDMS version 2.2.60rc3. The application includes an upload endpoint in 'users_add.php' that permits attackers to upload files to the '/userpictures/' directory without authentication. This vulnerability can be exploited to execute remote code by uploading a PHP payload and accessing it through a direct HTTP request.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to upload malicious files that are executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to 'users_add.php' with the 'upload_fd31' parameter containing a PHP file payload. Include the 'add_fd0' and 'add_fd27' parameters with the same filename. After the file is uploaded, it can be accessed via 'userpictures/[filename].php' to execute the payload.