SourceCodester Personnel Record Management System Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in SourceCodester's Personnel Record Management System version 1.0. The issue resides in the 'Add Employee' page, specifically within the 'save_emp.php' file. This flaw enables remote exploitation by bypassing file type validations and authorization checks, allowing attackers to upload malicious WebShell scripts to the server. Once uploaded, these scripts can be executed with server-level privileges, leading to full remote code execution. This exploitation could result in unauthorized execution of system commands, modification of server settings, theft of sensitive business information, deployment of ransomware or cryptominers, and potential lateral movement to compromise other servers on the internal network.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious code on the server with full privileges. This demonstrates a critical security risk, as it could lead to unauthorized access and manipulation of server resources and data.

Reproduction

To reproduce this vulnerability, first authenticate as an administrator, potentially using an SQL injection payload to bypass login credentials. Once logged in, navigate to the 'Add Employee' module. Upload a malicious PHP file, such as one named 'shell.php' containing a simple PHP script, through the 'Image' upload field. After saving the profile, the uploaded file can be accessed via the server's file path, where the PHP code will execute, confirming successful exploitation.

Remediation

It is recommended to implement strict file upload validations, including server-side whitelisting of allowed file types, rigorous MIME type checks, and random renaming of uploaded files to prevent execution of scripts. Additionally, monitor for and apply any security patches released by the developers.