Code-Projects Online Lot Reservation System Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in Code-Projects Online Lot Reservation System version 1.0. The issue resides in the activity.php file, where the directory parameter is manipulated to bypass file type restrictions, leading to arbitrary file uploads and path traversal. This vulnerability can be exploited remotely, with the potential for uploaded files to be executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can include malicious scripts that are executed on the server, potentially leading to full server control.

Reproduction

To reproduce this vulnerability, first log in as an administrator. Then, upload a file through the activity.php page by manipulating the directory parameter to traverse to the web root. After the file is uploaded, it can be accessed and executed as a script.