rickxy Hospital Management System Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical arbitrary file upload vulnerability has been identified in rickxy Hospital Management System version 1.0, specifically within the file '/backend/admin/his_admin_account.php'. This vulnerability allows unauthenticated attackers to upload malicious PHP files, such as web shells, by exploiting the 'ad_dpic' parameter. The uploaded files can be executed remotely, leading to unauthorized access and control over the server. The vulnerability arises from inadequate validation of file extensions and MIME types, coupled with a lack of session validation on the affected endpoint.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the uploaded malicious file being executed as a PHP script. This could lead to full system compromise, unauthorized access to the database, and exposure of sensitive medical data.

Reproduction

To reproduce this vulnerability, send a POST request to '/backend/admin/his_admin_account.php' without authentication. Include a crafted 'ad_dpic' parameter with a malicious PHP payload instead of a valid image. The uploaded file will be saved in a directory where PHP scripts can be executed, such as '/backend/admin/assets/images/users/'.

Remediation

It is recommended to implement strict validation of uploaded files, ensuring only safe image types are accepted. Additionally, verify the actual content of uploaded files using PHP functions like 'getimagesize()' or 'finfo_file'. Restrict execution permissions for PHP files in the upload directory and rename uploaded files to prevent easy access to the original file names.