Sourcecodester Personnel Property Equipment System Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in Sourcecodester Personnel Property Equipment System version 1.0. The issue arises from an arbitrary file upload feature in the admin_change_picture.php file, located in the ip/ppes/admin/ directory.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, log in to the application as a super admin. Navigate to the admin_change_picture.php page. Upload a file through the provided file upload feature, ensuring that the file contains malicious PHP code, such as a PHP shell or a file that executes a command. Once the file is uploaded, it will be stored in the admin/uploads directory. Accessing the uploaded file through the web server will trigger the execution of the embedded code.