Отправить #832530: tittuvarghese CollegeManagementSystem 1.0 Unrestricted File Upload LeadingИнформация

Названиеtittuvarghese CollegeManagementSystem 1.0 Unrestricted File Upload Leading
ОписаниеThe student data upload endpoint accepts a CSV file but performs only a superficial MIME‑type check that relies entirely on the client‑supplied `Content‑Type` header. The code: ```php $FileUploadPath= "uploads/"; if ((($_FILES["Student-Data-CSV"]["type"] == "application/csv")) ... $FileName = $program.$department.$course_code.$batch.$yoa.'.' . pathinfo($_FILES['Student-Data-CSV']['name'],PATHINFO_EXTENSION); move_uploaded_file($_FILES["Student-Data-CSV"]["tmp_name"], $FileUploadPath . $FileName); ``` The only validation is $_FILES["Student-Data-CSV"]["type"] == "application/csv", which can be trivially forged. The file extension is taken directly from the user‑supplied filename via PATHINFO_EXTENSION, with no whitelist. The destination directory dashboard_page/forms/uploads/ is web‑accessible and allows PHP execution. As a result, an attacker can upload a .php file (e.g., a web shell) by setting the MIME type to application/csv and appending .php to the filename. The server stores the file under a predictable name composed of the other form fields, and the attacker can then request it directly to achieve remote code execution. Steps to Reproduce Craft a PHP payload (e.g., <?php echo md5('123456789'); ?>). Submit a multipart POST request to upload_student_data.php with: The student data parameters (Department, Program, Course, Batch, Year of Admission). The Student-Data-CSV file field set to the PHP file, with Content-Type: application/csv and filename=shell.php. The server responds with a CSV format error message, but the file is stored on disk. Calculate the saved filename: {Program}{Department}{Course}{Batch}{YOA}.php (e.g., XXYYZZBB2011.php). Access http://127.0.0.1:3000/dashboard_page/forms/uploads/XXYYZZBB2011.php. The PHP code is executed, and the output (e.g., 25f9e794323b453885f5181f1b624d0b) is returned.
Источник⚠️ https://github.com/tittuvarghese/CollegeManagementSystem/issues/2
Пользователь
 Sw0rd (UID 98307)
Представление18.05.2026 15:52 (19 дни назад)
Модерация05.06.2026 10:10 (18 days later)
Статуспринято
Запись VulDB368871 [tittuvarghese CollegeManagementSystem Student Data Upload Endpoint upload_student_data.php Student-Data-CSV эскалация привилегий]
Баллы20

ПредыдущийОбзорДалее

Do you want to use VulDB in your project?

Use the official API to access entries easily!