Pachno is an open-source collaboration platform (formerly known as The Bug Genie) designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public License.
The multipart file parameter to the /uploadfile endpoint allows authenticated users to upload files directly to the server. File upload must be enabled by an admin, who can also configure the storage path, within a web-accessible /public directory. Extension filtering is ineffective. Although a blacklist exists, it is never used (dead code), allowing arbitrary file types such as .php5 to be uploaded. Files are stored on disk regardless of permission checks. If the upload path is web-accessible, uploaded scripts can be executed, leading to remote code execution.