🚨 Vulnerable File Upload

This upload endpoint has NO security controls:

No file type validation
No file size limits
No filename sanitization
Directory traversal possible
Can overwrite system files
Executable files allowed

Dangerous Test Cases:

1. Web Shell Upload:

Create a file named: shell.php
Content: <?php system($_GET['cmd']); ?>

2. Directory Traversal:

Filename: ../../../evil.txt
Overwrites files outside upload directory

3. Configuration Overwrite:

Filename: ../../.env
Could overwrite environment variables

4. Large File DoS:

Upload very large files to consume disk space

How to fix:

Validate file types with whitelist
Implement file size limits
Sanitize filenames completely
Store uploads outside web root
Use antivirus scanning
Generate random filenames