SourceCodester Simple Company Website Unrestricted File Upload Vulnerability

A critical arbitrary file upload vulnerability has been identified in SourceCodester Simple Company Website version 1.0. The issue resides in the file '/classes/Users.php' when the 'img' parameter is manipulated, allowing for unrestricted file uploads. This vulnerability can be exploited remotely by authenticated users with a valid PHP session ID.

Impact

Exploitation of this vulnerability allows authenticated users to upload and execute arbitrary PHP code on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, authenticate to the application to obtain a valid PHP session ID. Then, send a POST request to '/classes/Users.php?f=save' with the 'img' parameter included as a file upload. The uploaded file should be a PHP script disguised as an image, such as a JPEG file. Once the file is uploaded, it can be accessed and executed from the '/uploads/' directory on the server.

Remediation

It is recommended to implement strict validation of uploaded files, ensuring that only expected image formats are accepted. Additionally, configure the web server to prevent execution of scripts in the upload directory and consider renaming and relocating uploaded files to a secure location outside the web root.