HaPe PKH Arbitrary File Upload Vulnerability Allowing Remote Code Execution

An arbitrary file upload vulnerability has been identified in HaPe PKH version 1.1. This vulnerability allows authenticated attackers to upload malicious files by circumventing file type validation. Exploitation of this vulnerability enables the execution of arbitrary code on the server. The issue arises from the application's failure to properly validate file types before upload, allowing PHP files to be uploaded through several endpoints, including 'aksi_foto.php', 'aksi_user.php', and 'aksi_kecamatan.php'.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which can be used to execute malicious code on the server.

Reproduction

To reproduce this vulnerability, authenticate as a user and upload a PHP file through one of the vulnerable endpoints, such as 'aksi_foto.php', 'aksi_user.php', or 'aksi_kecamatan.php'. The uploaded file will be processed as a legitimate image file, bypassing the application's file type restrictions. Once uploaded, the PHP file can be accessed through the 'gambar-konten' directory, allowing for code execution on the server.