ashraf-kabir Travel Agency Unrestricted File Upload Vulnerability

A file upload vulnerability has been identified in ashraf-kabir travel agency versions up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. The issue resides in an unknown function of the file /customer_register.php, where inadequate validation of uploaded files allows for the unrestricted upload of potentially malicious PHP files. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could be used to upload malicious files that are processed within the application's environment. This could lead to various attacks, such as executing uploaded PHP scripts on the server.

Reproduction

To reproduce this vulnerability, upload a file through the file upload function in the /customer_register.php file. The application does not verify the file type, extension, or content, allowing malicious PHP files to be uploaded.