SourceCodester Patient Appointment Scheduler System Arbitrary Code Execution Vulnerability

A remote code execution vulnerability has been identified in SourceCodester Patient Appointment Scheduler System version 1.0. The issue arises in the file 'SystemSettings.php' within the 'scheduler/classes' directory, specifically when the 'f' parameter is set to 'update_settings'. This vulnerability allows for arbitrary file uploads, which can be exploited to execute malicious code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, log into the application using a super admin account. Navigate to the 'System Info' page. Send a POST request to 'SystemSettings.php' with the 'f' parameter set to 'update_settings'. Include a file named '1.php' in the 'img' form-data field. This uploaded file will be saved in the 'scheduler/uploads' directory, where it can be accessed and executed.