Code Astro Internet Banking System Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Code Astro Internet Banking System version 2.0.0. This issue arises from inadequate validation of file uploads in the profile_pic parameter of pages_view_client.php, allowing attackers to bypass security measures and execute arbitrary code.

Impact

Exploitation of this vulnerability could lead to full server compromise, data theft, and unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, upload a file through the profile picture upload feature, intercept the upload request with a tool like Burp Suite, and modify the file to include a double extension (such as .jpeg.php). Change the Content-Type header to application/x-php and insert malicious PHP code, such as a command to execute system commands. Once the file is uploaded, it can be accessed through the admin dist img directory, where the uploaded file will execute the embedded PHP code.

Remediation

To mitigate this vulnerability, restrict file uploads to only image formats and verify MIME types. Sanitize filenames to remove executable code and store uploaded files outside the web root.