Code-Projects Online Bidding System Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in Code-Projects Online Bidding System version 1.0. The issue arises in the 'categoryadd' function within the 'administrator/addcategory.php' file. The vulnerability allows attackers to upload files without proper validation of file types or content, leading to potential remote code execution.

Impact

The lack of file type validation and the ability to overwrite existing files can be exploited to execute arbitrary code on the server. Additionally, uploaded files could contain cross-site scripting (XSS) payloads that are stored and later executed.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'add category' section. Upload a file through the 'catimage' input. The file upload will bypass all security checks, allowing the upload of malicious files such as web shells or files containing XSS payloads.