إرسال #833933: Kushan2k student-management-system 1.0 Unrestricted File Uploadالمعلومات

عنوانKushan2k student-management-system 1.0 Unrestricted File Upload
الوصفThe student registration form allows uploading a profile image (`stimg`). The server‑side code in `RegisterService.php` only checks the file size, then moves the uploaded file directly to the web‑accessible directory `public/profiles/` without any validation of file extension, MIME type, or content: ```php $img = $files['stimg']; $UPLOAD_DIR = '../public/profiles/'; if ($img["size"] > 5000000) { ... } $img_url = $UPLOAD_DIR . time() . basename($img['name']); if (!move_uploaded_file($img['tmp_name'], $img_url)){ $_SESSION['error'] = 'file upload error!'; return; } ``` The server is configured to execute PHP scripts located inside public/profiles/. An attacker can therefore register a new student (or impersonate an existing one if the form lacks authentication) and upload a .php file (e.g., a web shell) as the profile image. The file is saved with a predictable name (UNIX_TIMESTAMP + original filename), and the attacker can then request it directly, achieving remote code execution. Steps to Reproduce Prepare a minimal PHP payload, e.g., <?php echo 'RCE_POC_123'; ?>. Send a multipart POST request to the registration endpoint (controllers/RegisterController.php) with all required fields and the stimg field containing the PHP file. Set the filename to poc.php. The server responds with a redirect or success message, and the file is saved as public/profiles/{timestamp}poc.php. Retrieve the file name from the response (e.g., by checking the profile page or predicting the timestamp) and request it directly: GET /public/profiles/1779255153poc.php The server returns RCE_POC_123, confirming code execution.
المصدر⚠️ https://github.com/Kushan2k/student-management-system/issues/1
المستخدم
 SweetSour (UID 98392)
ارسال20/05/2026 08:08 AM (21 أيام منذ)
الاعتدال07/06/2026 11:37 AM (18 days later)
الحالةتمت الموافقة
إدخال VulDB369094 [Kushan2k student-management-system حتى f16a4ceaddd6729c4b306ed4641cda3176c1ef2a Registration Endpoint RegisterService.php stimg تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Interested in the pricing of exploits?

See the underground prices here!