Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Due to the absence of proper file extension checks, MIME type validation, and authentication, attackers can upload executable PHP files to a web-accessible directory (/files/). This allows them to execute arbitrary commands remotely by accessing the uploaded script, resulting in full Remote Code Execution (RCE) without authentication.
The attacker sends an HTTP request to the user_payment_update.php endpoint, uploading a malicious PHP file through the uploaded_file_cancelled form field. The application does not verify the file extension or MIME type, nor does it require authentication. The uploaded file is placed in the publicly accessible /files/ directory on the web server. The attacker can then directly invoke this file via a browser or HTTP request, resulting in the execution of arbitrary system commands in the context of the server.
Attacker gains full control over the server by executing arbitrary code (RCE) without requiring authentication, which may lead to data theft, system takeover, backdoor installation, or further lateral movement in the network.
Apply patches available from the manufacturer in accordance with the references. As a temporary measure, it is recommended to restrict access to the user_payment_update.php endpoint at the firewall or web server level, disable the ability to execute PHP scripts in the /files/ directory, and implement file extension and MIME type validation for uploaded files along with mandatory authentication for all file upload operations.
SourceCodester Client Database Management System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLerouxyxchire Client Database Management System
APPLerouxyxchire1.0
Related vulnerabilities
SQL Injection w SourceCodester Client Database Management System 1.0
SQL Injection w SourceCodester Client Database Management System 1.0
SQL Injection w SourceCodester Client Database Management System 1.0
SQL Injection w SourceCodester Client Database Management System 1.0
RCE poprzez Arbitrary File Upload w SourceCodester Client Database Management System 1.0