SUMMARY
During a security audit of a compromised installation, a critical Unrestricted File Upload vulnerability was identified in the user and admin profile update functionality. This vulnerability allowed attackers to upload polyglot PHP scripts (disguised as images) to the public web directory.
VULNERABILITY DETAILS
The vulnerability resided in AccountController.php (both User and Admin versions). While the system performed standard MIME type validation, it relied solely on Laravel's input validation rules which can be bypassed in certain server environments or via polyglot file techniques. The secondary failure was using getClientOriginalExtension() to name the saved file without first cross-verifying it against a strict whitelist of allowed extensions.
This allowed attackers to upload polyglot files—binary files that contain valid image data (rendering as actual images in browsers) but also embed malicious PHP code. Because the system trusted the user-provided metadata, these files were saved with their original executable extensions (e.g., .php56, .phtml) in the public web directory.
