Victor CMS File Upload Vulnerability Allowing Arbitrary PHP File Execution

An authenticated file upload vulnerability exists in Victor CMS version 1.0. This vulnerability allows administrators to upload PHP files containing arbitrary code through the 'user_image' parameter. The uploaded files are stored in the '/img/' directory, where they can be accessed and executed with a 'cmd' parameter, allowing for the execution of system commands.

Impact

Exploitation of this vulnerability allows for arbitrary file upload of PHP scripts, which can be executed on the server, leading to unauthorized command execution.

Reproduction

To reproduce this vulnerability, log into the Victor CMS admin panel and navigate to the 'Users' management page. Use the 'Add User' feature to upload a file through the 'user_image' parameter. The uploaded file should be a PHP script designed to execute commands via a 'cmd' parameter. Once the file is uploaded, it can be accessed through the '/img/' directory, and the embedded commands can be executed by appending the 'cmd' parameter to the file's URL.