UnoPim Laravel PIM System Remote Code Execution Vulnerability via Arbitrary File Upload

A remote code execution vulnerability has been identified in UnoPim, an open-source Product Information Management system built on the Laravel framework, in versions prior to 0.2.1. The issue arises in the image upload feature during user creation, which only performs client-side file type validation. This allows users to manipulate the request by uploading an image, intercepting it with a proxy tool like Burp Suite, and altering the file extension and content. Exploitation involves uploading a crafted PHP file that, when accessed, executes the embedded code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where UnoPim is hosted. This could lead to a full system compromise, giving an attacker control over the server, access to the database and filesystem, and the ability to interact with other sensitive devices on the network.

Reproduction

To reproduce this vulnerability, upload an image file as a profile picture during user creation. Intercept the request using a proxy tool like Burp Suite, and modify the multipart request body to include a PHP file named 'poc.php' with a payload that executes system commands. After uploading, access the file through the web server, passing a command to be executed as a parameter. The executed command's output can be retrieved, demonstrating successful exploitation.

Remediation

Users are advised to update to UnoPim version 0.2.1 or later, where this vulnerability has been patched. Additionally, implement server-side validation of file types and extensions to prevent the upload of malicious files.