Soumettre #833933: Kushan2k student-management-system 1.0 Unrestricted File Uploadinformation

TitreKushan2k student-management-system 1.0 Unrestricted File Upload
DescriptionThe student registration form allows uploading a profile image (`stimg`). The server‑side code in `RegisterService.php` only checks the file size, then moves the uploaded file directly to the web‑accessible directory `public/profiles/` without any validation of file extension, MIME type, or content: ```php $img = $files['stimg']; $UPLOAD_DIR = '../public/profiles/'; if ($img["size"] > 5000000) { ... } $img_url = $UPLOAD_DIR . time() . basename($img['name']); if (!move_uploaded_file($img['tmp_name'], $img_url)){ $_SESSION['error'] = 'file upload error!'; return; } ``` The server is configured to execute PHP scripts located inside public/profiles/. An attacker can therefore register a new student (or impersonate an existing one if the form lacks authentication) and upload a .php file (e.g., a web shell) as the profile image. The file is saved with a predictable name (UNIX_TIMESTAMP + original filename), and the attacker can then request it directly, achieving remote code execution. Steps to Reproduce Prepare a minimal PHP payload, e.g., <?php echo 'RCE_POC_123'; ?>. Send a multipart POST request to the registration endpoint (controllers/RegisterController.php) with all required fields and the stimg field containing the PHP file. Set the filename to poc.php. The server responds with a redirect or success message, and the file is saved as public/profiles/{timestamp}poc.php. Retrieve the file name from the response (e.g., by checking the profile page or predicting the timestamp) and request it directly: GET /public/profiles/1779255153poc.php The server returns RCE_POC_123, confirming code execution.
La source⚠️ https://github.com/Kushan2k/student-management-system/issues/1
Utilisateur
 SweetSour (UID 98392)
Soumission20/05/2026 08:08 (il y a 21 jours)
Modérer07/06/2026 11:37 (18 days later)
StatutAccepté
Entrée VulDB369094 [Kushan2k student-management-system Registration Endpoint RegisterService.php stimg élévation de privilèges]
Points20

PrécédentAperçuSuivant

Want to know what is going to be exploited?

We predict KEV entries!