SourceCodester Pet Grooming Management Software Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in SourceCodester Pet Grooming Management Software version 1.0. This issue arises in the file manage_website.php, where the upload functionality fails to implement proper server-side validation of file types. As a result, attackers can upload malicious scripts disguised as images, such as PHP backdoors, which are then executed on the server. The vulnerability can be exploited remotely, leading to unauthorized access and control over the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious scripts on the server. This could result in unauthorized access, data theft, or control over the server, causing significant security breaches.

Reproduction

To reproduce this vulnerability, upload a file through the manage_website.php interface. The uploaded file should be a malicious script disguised as an image, such as a PHP file intended to be executed on the server. Once uploaded, the file can be accessed via its URL, executed, and used to run arbitrary commands on the server.

Remediation

It is recommended to implement server-side validation of uploaded files, establishing a whitelist for acceptable file formats such as JPG, PNG, and GIF. Additionally, configure the web server to prevent script execution in the upload directory, monitor upload activities for anomalies, and maintain logs of all upload transactions.