Codecanyon iDentSoft Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Codecanyon iDentSoft version 2.0. This issue arises in the Account Setting Page, specifically within the file '/clinica/profile/updateSetting'. The vulnerability is triggered by manipulating the 'photo' argument, which allows the upload of files with potentially dangerous extensions, such as .php5.6, .phps, .phtm, .html, and .js. Depending on the server's PHP configuration, this could lead to arbitrary execution of system commands. The vulnerability can be exploited remotely, but requires authentication.

Impact

Exploitation of this vulnerability could allow an authenticated user to upload malicious files that could be executed on the server, potentially leading to arbitrary code execution.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the '/clinica/profile/updateSetting' endpoint, including a 'photo' argument that is crafted to bypass file upload restrictions. The uploaded file should have an extension that is typically allowed but can be executed as a script, such as .php5.6, .phps, .phtm, .html, or .js. Once the file is uploaded, it can be executed on the server, depending on the PHP configuration.