SourceCodester Best Employee Management System profile.php unrestricted upload

Vulnerability

The vulnerability exists in the /admin/profile.php file of SourceCodester Best Employee Management System version 1.0 [1]. The website_image parameter is used to upload files, but the code lacks any validation of file type or content. Uploaded files are stored in ../assets/uploadImage/Profile/. An attacker with valid authentication can upload arbitrary files, including PHP scripts.

Exploitation

An authenticated attacker must have access to the profile upload functionality. The attacker prepares a malicious PHP file (e.g., shell.php) containing a command execution payload such as <?php system($_GET['cmd']);?>. This file is uploaded via the /admin/profile.php endpoint. After successful upload, the attacker accesses the uploaded file at http:///assets/uploadImage/Profile/shell.php?cmd= to execute arbitrary system commands.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the web server with the privileges of the web server process. This typically leads to full compromise of the application, including data exfiltration, modification, and further lateral movement within the network. The impact is rated as critical due to potential remote code execution.

Mitigation

No official patch has been released by SourceCodester as of the publication date [1]. The application is not listed on the CISA Known Exploited Vulnerabilities catalog. As a workaround, administrators should disable the file upload functionality or implement strict file type validation and restrict the upload directory to prevent execution of PHP files (e.g., via .htaccess or web server configuration).