Code-Projects Library System Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Code-Projects Library System version 1.0. This issue resides in the file '/user/teacher/profile.php', where the 'image' parameter can be manipulated to bypass file type and content validations. The vulnerability can be exploited remotely, enabling attackers to upload malicious PHP scripts, such as web shells. Once the web shell is uploaded, attackers can gain full control over the system, execute commands, navigate the file system, and access sensitive data.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious scripts on the server. This could lead to a complete compromise of the web application and potentially the underlying server, depending on the server's configuration and the privileges of the web server user.

Reproduction

To reproduce this vulnerability, send a POST request to '/user/teacher/profile.php' with the 'image' parameter containing a PHP file. The uploaded file will be saved in a web-accessible directory, where it can be executed as a script. This can be done using a tool like AntSword, which can connect to the uploaded web shell and execute commands on the server.

Remediation

It is recommended to implement proper file upload validations, such as whitelisting allowed file types and verifying MIME types. Additionally, uploaded files should be stored in non-web-accessible directories and with execution permissions disabled. Monitoring for anomalous upload patterns and logging suspicious activities can also help mitigate the risk.