Overview
These vulnerabilities arise from improper inventory management of uploaded assets in the Claydip Laravel Airbnb Clone 1.0, tracked as CVE-2017-14704 (CWE-434). The flaws involve multiple unrestricted file uploads in the imageSubmit and proof_submit functions, where remote authenticated users could upload a file with an executable extension and then access it directly via a URL under images/profile. If the uploaded payload is a PHP or other executably interpreted file, the attacker could execute code on the server, potentially taking control or escalating privileges. This is a real-world risk seen in a Laravel-based clone where inventory-related uploads were not properly controlled or isolated, enabling remote code execution through crafted uploads.
Affected Versions
Claydip Laravel Airbnb Clone 1.0
Code Fix Example
Laravel API Security Remediation
<?php
// Vulnerable pattern (no validation, stored in publicly accessible path)
public function imageSubmit(Request $request)
{
if ($request->hasFile('image')) {
$image = $request->file('image');
$filename = time().'.'.$image->getClientOriginalExtension();
// WARNING: stores directly in publicly accessible path; executable extensions allowed
$image->move(public_path('images/profile'), $filename);
}
}
// Fixed pattern (validate and store securely)
public function imageSubmit(Request $request)
{
$request->validate([
'image' => 'required|image|mimes:jpeg,png,jpg,gif,svg|max:2048'
]);
if ($request->hasFile('image')) {
$image = $request->file('image');
// Store via Laravel Storage to avoid web-root execution exposure
$path = $image->store('profile_images', 'public');
// Persist $path (e.g., in DB) and generate URL with Storage::url($path)
}
}