SourceCodester Client Database Management System Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical remote code execution vulnerability has been identified in SourceCodester Client Database Management System (CDMS) version 1.0. The issue resides in the Leads Generation module, specifically within the file '/user_leads.php'. This vulnerability allows for unrestricted file uploads, as the application fails to properly validate file types or MIME types, and does not restrict executable file extensions such as .php. Uploaded files are stored in a publicly accessible directory where directory listing is enabled, allowing attackers to execute uploaded PHP scripts via the web server.

Impact

Exploitation of this vulnerability allows for remote command execution on the server. Uploaded PHP files can be executed as web shells, potentially leading to a full compromise of the application server. Such exploitation could also allow for theft of database credentials, privilege escalation, and exfiltration or destruction of data.

Reproduction

To reproduce this vulnerability, an authenticated user must create a transaction and navigate to the 'Leads Generation' section to update the transaction details. During the update process, the user can upload a file named 'profile.php', which will be stored in the 'files' directory. After completing the transaction update, the uploaded PHP file can be accessed directly through the browser, where it will execute on the server.

Remediation

It is recommended to block executable file extensions, implement server-side validation of file types and MIME types, disable directory listing, store uploaded files outside the web root, and rename uploaded files using random UUIDs. Long-term hardening measures include using a file upload allowlist, serving uploaded files via a download handler, implementing antivirus scanning, enforcing strict file permissions, and adding web application firewall rules to prevent file upload abuse.