Joomla! Component vBizz 1.0.7 Remote Code Execution

An authenticated attacker sends a POST request to `index.php?option=com_vbizz&view=employee` with a multipart form containing the `profile_pic` field set to a PHP file (e.g., `phpinfo.php`). The component stores the uploaded file under `components/com_vbizz/uploads/profile_pics/` without any extension or content-type validation [ref_id=1]. The attacker then directly requests the uploaded PHP file, which the server executes, achieving remote code execution.

The vulnerability resides in the Joomla! vBizz component (version 1.0.7). The `profile_pic` parameter in the employee view (`index.php?option=com_vbizz&view=employee`) accepts file uploads without validating the file type, allowing arbitrary PHP files to be written to the `components/com_vbizz/uploads/profile_pics/` directory.

No patch is available in the bundle. The advisory does not include a vendor fix or commit diff. To remediate the issue, the component must validate uploaded file extensions (e.g., allow only image types), verify MIME types server-side, and store uploads outside the web root or in a directory with script execution disabled.

Send a POST request to `http://localhost/[PATH]/index.php?option=com_vbizz&view=employee` with a multipart body containing `profile_pic` set to a PHP file (e.g., `phpinfo.php` with `<?php phpinfo(); ?>`). After the server responds with a 303 redirect, request the uploaded file at `http://localhost/[PATH]/components/com_vbizz/uploads/profile_pics/1548192100phpinfo.php` to execute the PHP code [ref_id=1].