SourceCodester Food Menu Manager Unrestricted File Upload Vulnerability

A critical unrestricted file upload vulnerability has been identified in SourceCodester Food Menu Manager version 1.0. The issue resides in the file endpoint/update.php, where the upload logic fails to properly validate file types. This flaw allows attackers to bypass image type detection using a crafted GIF file and upload malicious PHP scripts, such as Trojans, that can execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to the execution of uploaded malicious files, such as PHP scripts, on the server.

Reproduction

To reproduce this vulnerability, upload a file through the update.php endpoint using the POST method. Include a crafted GIF file that bypasses the image type detection. The uploaded file can then be executed as a PHP script, allowing for arbitrary code execution.