SourceCodester Best Church Management Software Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in SourceCodester Best Church Management Software version 1.0. The issue resides in the file '/admin/app/soulwinning_crud.php', where the 'photo' and 'photo1' arguments can be manipulated to upload files without proper restrictions. This vulnerability can be exploited remotely, and such unrestricted uploads may lead to remote code execution.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could be used to upload malicious files that are executed on the server, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/app/soulwinning_crud.php' with the 'photo' and 'photo1' fields included in the form data. These fields can be used to upload files, such as PDFs, which could be exploited if the uploaded file is executed as a script.