SourceCodester Simple Cold Storage Management System Avatar unrestricted upload

Vulnerability

A vulnerability exists in SourceCodester Simple Cold Storage Management System version 1.0, specifically in the avatar upload functionality of the user management page at /csms/admin/?page=user/manage_user. The application fails to properly validate or restrict the file type during avatar upload, leading to an unrestricted file upload condition. This issue affects the Avatar Handler component and can be exploited by an authenticated administrator.

Exploitation

An attacker with valid administrator credentials can log into the admin panel and navigate to the user management page. By uploading a malicious file (e.g., a PHP web shell) as the avatar, the attacker can bypass any file type restrictions. The uploaded file is stored on the server and can be accessed directly, as demonstrated in the public proof-of-concept [1].

Impact

Successful exploitation allows the attacker to upload arbitrary files to the server. If the uploaded file is a script (e.g., PHP), it can be executed, leading to remote code execution. This can result in full compromise of the web server, including data theft, defacement, or further lateral movement within the network.

Mitigation

As of the publication date, no official patch or fix has been released by the vendor. Users should restrict access to the admin panel, implement strict file type validation and server-side checks for uploaded files, and consider disabling the avatar upload feature if not required. The vulnerability is publicly known and may be actively exploited.