Glossword Arbitrary File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing authenticated users with administrative privileges to upload arbitrary files has been identified in Glossword versions 1.8.8 prior to 1.8.12. This issue arises from inadequate validation of file types and paths, enabling the upload and execution of PHP payloads, which results in remote code execution. The vulnerability is present when Glossword is deployed as a standalone application.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, log into the Glossword administrative interface. Navigate to the 'Avatar settings' tab under 'gw_admin.php?a=edit-own&t=users'. Upload a PHP file disguised as an image, bypassing the application's stated file type restrictions. After uploading, the PHP file can be accessed and executed, providing a shell on the server.