The exploit describes an arbitrary file upload vulnerability in DeWorkshop 1.0, where the application fails to validate file extensions during profile picture uploads, allowing attackers to upload malicious files. The vulnerability is demonstrated via a proof-of-concept URL and code snippet showing the insecure file handling logic.
Classification
Writeup 90%
Target:
DeWorkshop 1.0
Auth required
Prerequisites:
Access to the customer profile update functionality · Valid session or authentication credentials