| Titre | SourceCodester Client Database Management System 1 Unrestricted Upload |
|---|
| Description | System: CDMS — Client Database Management System
Date: 2025–12–5
Author: Ravi Pipalwa
Module Affected: Leads Generation / Transaction Update
Severity: Critical
Vulnerability Type: Unrestricted File Upload → Remote Code Execution
Environment: Localhost (PHP-based Web Application)
Vendor Homepage: https://www.sourcecodester.com
Software Link: https://www.sourcecodester.com/php/17514/client-database-management-system.html
— -
1. Executive Summary
A critical Remote Code Execution (RCE) vulnerability was identified in the Client Database Management System (CDMS) . The application allows attackers to upload arbitrary files without proper validation. Uploaded files are stored in a publicly accessible directory and can be executed by the web server.
An authenticated user can upload a malicious PHP file and directly execute it via the browser, resulting in full compromise of the application server.
— -
2. Vulnerability Description
The vulnerability exists in the Transaction Update functionality under the Leads Generation module. The system includes a file upload feature intended for attaching documents (e.g., cancellation reasons or supporting files).
Identified Issues:
a.) No server-side validation of file type or MIME type
b.) No restriction on executable file extensions (e.g., .php)
c.) Uploaded files stored in a web-accessible directory
d.) Directory listing is enabled
e.) Uploaded PHP files are executed by the server
This combination allows an attacker to upload a PHP script and execute arbitrary system commands.
— -
3. Affected Endpoint
/cdm/user_leads.php
Upload Directory:/cdm/files/
Direct Access Example: http://localhost/cdm/files/profile.php
— -
4. Proof of Concept (PoC)
Step Summary (High-Level)
Create a Transaction , if no transaction exists .
Press enter or click to view image in full size
2. Navigate to Leads Generation → View Details → Update Transaction
Press enter or click to view image in full size
3. Upload a file named: profile.php
Press enter or click to view image in full size
4. Complete the transaction update
5. Access the uploaded file directly via browser: http://localhost/cdm/files/profile.php
Press enter or click to view image in full size
6. The PHP file executes successfully on the server
Press enter or click to view image in full size
Evidence Observed:
The /cdm/files/ directory lists uploaded files
The uploaded profile.php is executable
Server processes the PHP code instead of serving it as a download
— -
Become a member
5. Impact Assessment
Successful exploitation allows:
Remote command execution
Web shell deployment
Database credential theft
Privilege escalation
Data exfiltration or destruction
Full server compromise
— -
6. Root Cause Analysis
a.) Missing file validation — No whitelist of allowed file types
b.) Executable upload allowed — PHP files accepted
c.) Public upload directory — Files stored under web root
d.) Directory listing enabled — Attackers can enumerate uploads
e.) No filename randomization — Predictable file access
— -
7. Security Recommendations
Immediate Fixes (High Priority)
Block executable file extensions (.php, .phtml, .php5, etc.)
Implement server-side MIME and content validation
Disable directory listing (Options -Indexes)
Store uploads outside the web root
Rename uploaded files using random UUIDs
Long-Term Hardening
Use a file upload allowlist (PDF, JPG, PNG only)
Serve uploaded files via download handler, not direct access
Implement antivirus/malware scanning
Enforce least privilege file permissions
Add WAF rules for file upload abuse
— -
8. OWASP Mapping
OWASP Top 10 2025 (As of now)
A03: Injection
A05: Security Misconfiguration
A08: Software and Data Integrity Failures
— -
9. Conclusion
The CDMS application is critically vulnerable to Remote Code Execution due to insecure file upload handling. Exploitation requires minimal effort and can lead to complete system compromise.
Immediate remediation is strongly recommended.
— -
10. Disclosure Statement
This report is intended for authorized security testing, educational, or defensive purposes only. No data was altered or destroyed during testing.
— - |
|---|
| La source | ⚠️ https://medium.com/@rvpipalwa/remote-code-execution-rce-vulnerability-report-4394b38ff90e |
|---|
| Utilisateur | rvpipalwa (UID 93501) |
|---|
| Soumission | 15/12/2025 08:49 (il y a 6 mois) |
|---|
| Modérer | 18/12/2025 13:18 (3 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 337373 [SourceCodester Client Database Management System 1.0 Leads Generation /user_leads.php élévation de privilèges] |
|---|
| Points | 20 |
|---|