Campcodes Payroll Management System Local File Inclusion Vulnerability

A local file inclusion (LFI) vulnerability has been identified in Campcodes Payroll Management System version 1.0. The issue resides in the '/index.php' file, where the application improperly handles the 'page' parameter. This lack of validation allows remote attackers to manipulate the parameter and include arbitrary files, potentially leading to code execution or exposure of sensitive information. Exploitation of this vulnerability requires authentication as a user.

Impact

Exploitation of this vulnerability allows for local file inclusion, where an attacker can specify files to be included and executed by the server. This could be used to execute malicious code or read sensitive files from the server.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials (username: admin, password: admin123). Once logged in, send a GET request to 'index.php' with the 'page' parameter set to a file URL that points to a local file on the server. The server will include the specified file, exploiting the local file inclusion vulnerability.