Sourcecodester Covid-19 Contact Tracing System Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Sourcecodester Covid-19 Contact Tracing System version 1.0. This issue arises from an unrestricted file upload feature that allows users to upload files with dangerous types, such as PHP scripts. Once uploaded, these files can be executed on the server, leading to remote code execution with the privileges of the web server process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server. Depending on the server's configuration, this could result in a full system compromise, unauthorized access to sensitive data, disruption of services, or modification of application behavior.

Remediation

Users are advised to implement strict server-side validation of uploaded files, restrict allowed file extensions and MIME types, store uploaded files outside the web root, disable execution permissions on upload directories, and apply any available vendor patches or updates.