PHP User Management System is a powerful PHP script that offers a secure user management system. The application is a great way to build your website, allowing your users to register an account and build restricted access to certain users. We offer great support and it’s very easy to install. It’s powered by MYSQL and PHP.
/register.php fails to properly handle file extension sanitization, allowing an attacker to upload a php file.
<script type="text/javascript">
function validate()
{
var extensions = new Array("jpg","jpeg");
var image_file = document.regform.image.value;
var image_length = document.regform.image.value.length;
var pos = image_file.lastIndexOf('.') + 1;
var ext = image_file.substring(pos, image_length);
var final_ext = ext.toLowerCase();
for (i = 0; i < extensions.length; i++)
{
if(extensions[i] == final_ext)
{
return true;
}
}
alert("Image Extension Not Valid (Use Jpg,jpeg)");
return false;
}
The above code is run client-side, so it can be bypassed by editing the request manually.
profile.php, admin/edit-user.php and feedback.php do not implement any form of file sanitization at all. This would allow an attacker to simply click "upload" and select their php file.
Synopsis
I have discovered multiple remote code execution vulnerabilities in the following files.
These vulnerabilities would allow an attacker to gain a foothold shell as www-data.
Proof of concept
Exploitation walkthrough can be found here: https://palioxss.com/projects/exploit1.html
Technical summary
/register.php fails to properly handle file extension sanitization, allowing an attacker to upload a php file.
The above code is run client-side, so it can be bypassed by editing the request manually.
profile.php, admin/edit-user.php and feedback.php do not implement any form of file sanitization at all. This would allow an attacker to simply click "upload" and select their php file.