Code-Projects Simple Online Hotel Reservation System Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in Code-Projects Simple Online Hotel Reservation System version 2.0. The issue resides in the Photo Handler component, specifically within the file '/admin/edit_room.php'. This vulnerability can be exploited remotely, as the application fails to properly validate the type or content of uploaded files, allowing arbitrary files, including potentially malicious ones, to be uploaded to the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files such as web shells. If such a file is uploaded, it could be executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, access the '/admin/edit_room.php' file and use the room editing feature to upload a file. The application does not check the file type, so a malicious PHP file can be uploaded. Once uploaded, the file can be accessed and executed on the server.