SourceCodester Pet Grooming Management Software Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue resides in the Setting Handler component, specifically within the file '/admin/seo_setting.php'. The vulnerability is triggered by manipulating the 'website_image' argument, which lacks proper validation, enabling the upload of malicious files. This flaw can be exploited remotely, potentially leading to unauthorized access or actions on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious scripts or files that are executed on the server, potentially leading to a compromise of server privileges.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the '/admin/seo_setting.php' page. Once there, upload a file through the 'website_image' field, ensuring that the file is a PHP script or another type of executable file. After uploading, the file can be accessed directly, and if it's a PHP script, it will be executed, displaying the PHP information page.