제출 #833933: Kushan2k student-management-system 1.0 Unrestricted File Upload정보

제목	Kushan2k student-management-system 1.0 Unrestricted File Upload
설명	The student registration form allows uploading a profile image (`stimg`). The server‑side code in `RegisterService.php` only checks the file size, then moves the uploaded file directly to the web‑accessible directory `public/profiles/` without any validation of file extension, MIME type, or content: ```php $img = $files['stimg']; $UPLOAD_DIR = '../public/profiles/'; if ($img["size"] > 5000000) { ... } $img_url = $UPLOAD_DIR . time() . basename($img['name']); if (!move_uploaded_file($img['tmp_name'], $img_url)){ $_SESSION['error'] = 'file upload error!'; return; } ``` The server is configured to execute PHP scripts located inside public/profiles/. An attacker can therefore register a new student (or impersonate an existing one if the form lacks authentication) and upload a .php file (e.g., a web shell) as the profile image. The file is saved with a predictable name (UNIX_TIMESTAMP + original filename), and the attacker can then request it directly, achieving remote code execution. Steps to Reproduce Prepare a minimal PHP payload, e.g., <?php echo 'RCE_POC_123'; ?>. Send a multipart POST request to the registration endpoint (controllers/RegisterController.php) with all required fields and the stimg field containing the PHP file. Set the filename to poc.php. The server responds with a redirect or success message, and the file is saved as public/profiles/{timestamp}poc.php. Retrieve the file name from the response (e.g., by checking the profile page or predicting the timestamp) and request it directly: GET /public/profiles/1779255153poc.php The server returns RCE_POC_123, confirming code execution.
원천	⚠️ https://github.com/Kushan2k/student-management-system/issues/1
사용자	SweetSour (UID 98392)
제출	2026. 05. 20. AM 08:08 (21 날 ago)
모더레이션	2026. 06. 07. AM 11:37 (18 days later)
상태	수락
VulDB 항목	369094 [Kushan2k student-management-system 까지 f16a4ceaddd6729c4b306ed4641cda3176c1ef2a Registration Endpoint RegisterService.php stimg 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!