Code-Projects Employee Profile Management System Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file upload has been identified in Code-Projects Employee Profile Management System version 1.0. The issue resides in the file '/profiling/add_file_query.php', where the 'per_file' argument is manipulated to upload files without proper validation. This flaw allows arbitrary files, including executable PHP scripts, to be uploaded to a directory accessible via the web. If the server is configured to execute PHP files in that directory, this could lead to remote code execution.

Impact

Exploitation of this vulnerability allows for the upload and execution of arbitrary PHP code on the server. This could result in a full compromise of the server, including unauthorized command execution, data theft, privilege escalation, and the installation of persistent backdoors.

Reproduction

To reproduce this vulnerability, log into the Employee Profile Management System as a user with access to the 'Add File' feature. Upload a file named 'shell.php' containing executable PHP code, such as a simple script that echoes a message. After uploading the file through the application's interface or via a direct POST request to 'add_file_query.php' using a tool like curl, the uploaded PHP file can be accessed through the 'uploads' directory. The server will execute the PHP code, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to implement a strict allow-list for file extensions, only permitting safe types such as PDF, DOCX, JPG, and PNG. Uploaded files should be validated for their MIME types and contents using server-side checks, ensuring they match expected formats. Additionally, files should be stored outside the web root and served through a controlled download script that does not execute them. Randomizing filenames before saving uploads can also help prevent overwriting existing files. Finally, web server configurations should be used to disable script execution in the uploads directory.