SourceCodester Simple POS and Inventory System Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in SourceCodester Simple POS and Inventory System version 1.0. The issue resides in the file '/admin/addproduct.php', where the 'image' parameter is manipulated to bypass file extension restrictions. This flaw enables remote exploitation by uploading malicious files, such as PHP web shells, which can be executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server by uploading a PHP web shell to the web-accessible '/upload/' directory. Additionally, the SQL injection component of this vulnerability could be exploited to extract data from the application's database.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/addproduct.php' with the 'name', 'category', 'price', 'supplier', 'qty', and 'image' parameters. The 'name' parameter should include a payload that exploits the SQL injection vulnerability, such as a string that, when injected, causes a delay in the server's response. The 'image' parameter should be crafted to bypass the file extension validation, such as by using double extensions or uppercase file types.

Remediation

Users are advised to implement prepared statements to prevent SQL injection, enhance file validation by checking MIME types and maintaining a strict allowlist, randomize filenames of uploaded files, restrict upload permissions to prevent PHP execution in the upload directory, and store uploaded files in a location not accessible from the web.