GUnet OpenEclass File Upload Extension Bypass Vulnerability Allowing Remote Code Execution

A vulnerability in GUnet OpenEclass version 1.7.3 allows authenticated users to bypass file extension restrictions during file uploads. By renaming a PHP file to use the .php3 or .PhP extension, an attacker can upload a web shell and execute arbitrary code on the server. This issue arises from inadequate file type validation in the exercise submission feature, enabling remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a file through the exercise submission feature. The application currently renames files with a .php extension to .phps, preventing execution. However, by renaming the file to .php3 or .PhP, the upload can successfully bypass this restriction. Once the file is uploaded, it can be accessed through the course's 'work' directory, where directory listing is typically enabled by default.