Code-Projects Invoice System in Laravel Unrestricted File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in Code-Projects Invoice System version 1.0. The issue arises in the company logo upload feature, where the validation process is bypassed due to a discrepancy between the expected and actual form field names. This flaw enables remote attackers to upload files of any type, including PHP scripts, to a public directory without being subjected to the intended image validation. Exploitation of this vulnerability could lead to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could include malicious PHP scripts that, if executed, could lead to a full server compromise. Additionally, the vulnerability could be exploited to overwrite or add content to the company's public profile.

Reproduction

To reproduce this vulnerability, send a POST request to the '/company' endpoint with a file named 'logo' that contains a PHP script. The request must include the appropriate multipart/form-data headers. The uploaded file will be saved in the 'public/uploads' directory, bypassing the application's file type validation.

Remediation

It is recommended to fix the validation logic to ensure that the upload rules correctly match the form field names. Additionally, implement strict MIME type validation for image uploads and consider storing uploaded files in a secure location, such as 'storage/app/public', using the Storage facade to manage file visibility.