DouPHP Unrestricted File Upload Vulnerability in file.class.php

A vulnerability allowing unrestricted file upload has been identified in DouPHP versions through 1.8 Release 20251022. The issue resides in the file upload/include/file.class.php, specifically within the bigfile method. The vulnerability is triggered by manipulating the sql_link_url parameter, which the application uses to determine the upload directory and file name. If the directory matches a certain condition, the file is uploaded without proper validation, allowing the execution of arbitrary code. This vulnerability requires administrative privileges to exploit, as it involves accessing a protected file upload feature in the admin panel.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which could be used to upload malicious scripts that are executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, an administrator must log into the DouPHP application and navigate to the file upload feature in the admin panel. Once there, a crafted HTTP POST request must be sent to upload/include/file.class.php. This request should include the sql_link_url parameter, pointing to a location where a PHP file can be executed, along with other required parameters such as blob_num and total_blob_num. The uploaded file should be a ZIP file containing a PHP script, which will be executed on the server once the upload is complete.