Description
file upload vulnerability in application
Proof of Concept
step to reproduce
1)login to application
2) goto https:
3) upload file any kind of file application accept
Reference PoC
1) https:
2)https:
while creating new bill user is able to upload any kind of malicious file which will allows attacker to run remote code to compromise
appliation.
code
<input multiple="multiple" helptext="Maximum file size: 64 MB" class="form-control" id="ffInput_attachments" autocomplete="off" placeholder="Attachments" name="attachments[]" type="file">
Solution : define file type validation in client side of the application to validate the file extension