Car Rental Management System Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing authenticated users to upload arbitrary files has been identified in the Car Rental Management System, versions 1.0 to 1.3. This issue arises from insufficient file type validation and improper access controls on the uploads directory. Exploiting this vulnerability enables attackers to upload malicious files, such as PHP scripts, which can be executed remotely, potentially leading to a complete server compromise.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential for full server compromise, unauthorized access to sensitive data, privilege escalation, and lateral movement within the network.

Reproduction

To reproduce this vulnerability, a low-privileged user account is required to access the upload functionality in the System Settings module. Once authenticated, the user can upload a crafted file, such as a PHP shell, which can then be accessed publicly without authentication. After uploading the shell, commands can be executed remotely by appending '?cmd=' to the URL of the uploaded file.

Remediation

To address this vulnerability, it is recommended to implement strict file type validation to prevent the upload of executable files like PHP scripts. File upload permissions should be restricted to trusted users only, and uploaded files should be stored in a directory that is not accessible via the web. Server permissions should be configured to block the execution of uploaded files by default. Regularly patching and updating the system to address known vulnerabilities is also advised.