Unrestricted Image Upload in causefx/organizr
Apr 15th 2022
When testing file upload function in Organizr (2.1.1830), there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method
Proof of Concept
- Login and go to Settings -> Image Manager
- Upload file with double extension jpg/png ** test on php & svg file
This is not the security issues since all those file uploaded being tested cannot be execute. This flaws allow user to upload another file that no need for the application.