Code-Projects College Notes Uploading System Unrestricted File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in Code-Projects College Notes Uploading System version 1.0. The issue resides in the file '/dashboard/userprofile.php', where the 'image' argument can be manipulated to bypass file type restrictions. This flaw enables remote exploitation, allowing attackers to upload malicious scripts that could be executed on the server, potentially leading to unauthorized control, data theft, or further attacks on system security.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to upload and execute malicious scripts on the server. This could result in unauthorized server control, data theft, or additional attacks that compromise system security.

Reproduction

To reproduce this vulnerability, send a POST request to '/dashboard/userprofile.php' with the 'image' parameter set to a file named '111.php'. Change the 'Content-Type' to 'image/gif' to bypass file type detection. Once the file is uploaded, it can be accessed and executed as a web shell.