Visitor Management System Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unrestricted file upload has been identified in Visitor Management System version 1.0, developed by sanjay1313. The issue arises in the files vms/php/admin_user_insert.php and vms/php/update_1.php, where the move_uploaded_file() function is used without any validation of MIME type, file extension, or content. This flaw enables an authenticated admin to upload a PHP web shell through the image upload field, which can then be executed on the server via the URL of the uploaded file.

Impact

Exploitation of this vulnerability allows for full remote code execution on the server, with the executed code running as the web server user. This could lead to a complete compromise of the server, unauthorized access to all visitor records, and potential lateral movement within the server's network.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Visitor Management System. Once logged in, navigate to the 'Admin Users' section and select 'Add New Admin'. Upload a file named 'shell.php' as the profile photo. After the file is uploaded, it can be accessed via the URL 'http://target/vms/images/shell.php', where commands can be executed by appending '?cmd=' followed by the desired command.

Remediation

To address this vulnerability, implement validation for file extensions and MIME types before uploading files. Only allow specific image formats such as JPEG, PNG, and GIF. Additionally, rename uploaded files to prevent overwriting existing files and to avoid using predictable file names.