CVE-2022-43265

Vulnerability

Canteen Management System v1.0 [1] contains an unrestricted file upload vulnerability in the /assets/pages/save_user.php script [2]. The code directly uses the user-supplied filename from $_FILES['image']['name'] and moves the uploaded file to ../uploadImage/Profile/ without any validation of the file extension or content [2]. This allows an attacker to upload a malicious PHP file that can then be executed by accessing it via the web server.

Exploitation

An attacker can exploit this vulnerability by sending a crafted multipart/form-data POST request to /assets/pages/save_user.php with a PHP file (e.g., evil.php) in the image field [2]. No authentication is required to reach the endpoint. The file is successfully uploaded even though the server may return a 500 status due to PHP errors [2]. The attacker then accesses the uploaded file at http://target/uploadImage/Profile/evil.php to trigger execution.

Impact

Successful exploitation allows arbitrary PHP code execution on the server, leading to full compromise of the Canteen Management System instance [2]. An attacker can execute operating system commands, read sensitive files, or pivot to other systems on the network.

Mitigation

No official patch has been released for Canteen Management System v1.0 [1][2]. The vendor (SourceCodester) has not provided an update. As a workaround, administrators should implement strict file type validation (e.g., allow only image extensions) and ensure the upload directory is not directly executable. If the application is no longer maintained, consider replacing it with a supported alternative.