Critical Vulnerability Information Vulnerability Type Arbitrary File Upload Vulnerability Affected Products and Versions Product: code-projects online-notes-sharing V1.0 Affected/Fixed Version: V1.0 Vulnerable File Vulnerability Description Due to insufficient validation and filtering, the script is vulnerable to arbitrary file upload. Malicious files (such as PHP shells) are accepted and stored in publicly accessible directories, even when their extensions are disguised (e.g., .jpg). Attackers can upload and execute these files directly via a browser, potentially leading to remote code execution, thereby compromising the entire server and exposing sensitive data. Impact Full server compromise Data leakage or manipulation Unauthorized access to sensitive information Service disruption or denial of service Vulnerability Location Reproduction Steps (PoC) 1. Choose a simple web shell payload, such as . 2. Change the file extension from to to bypass basic file type checks. 3. Upload the renamed file using the profile picture upload feature in . 4. Use Burp Suite to modify the upload request, ensuring the server processes it as a PHP file despite the extension. 5. After successful upload, access the uploaded file via its public path (e.g., ). 6. Send a POST request with a parameter to execute arbitrary PHP code on the server. Recommended Remediation Measures Strict File Type Validation: Allow only specific safe file types (e.g., JPEG, PNG, or GIF) by validating both file extensions and MIME types. Rename Uploaded Files: Rename uploaded files to random or hashed filenames to prevent overwriting and avoid revealing original filenames or extensions. Store Files Outside Web Root: Save uploaded files outside the publicly accessible web directory to prevent direct access and execution. Use Whitelists, Not Blacklists: Avoid blocking dangerous file extensions; instead, implement a whitelist of allowed file types. Implement Content Scanning: Scan uploaded files for malicious content using antivirus or malware detection tools. Limit File Size: Restrict maximum upload size to prevent denial-of-service attacks. Apply Appropriate Permissions: Ensure uploaded files and directories have restrictive permissions, preventing execution wherever possible.