1000projects.org Online Student Project Report Submission and Evaluation System Unrestricted File Upload Vulnerability

A file upload vulnerability allowing unrestricted file types has been identified in the 1000projects Online Student Project Report Submission and Evaluation System version 1.0. The issue resides in the '/admin/controller/faculty_controller.php' file, where the 'new_image' parameter lacks proper validation, enabling attackers to upload arbitrary files, including malicious scripts. This vulnerability can be exploited remotely without authentication, posing a significant risk to system security and data integrity.

Impact

Exploitation of this vulnerability allows attackers to upload malicious scripts that could be executed on the server, potentially leading to unauthorized access, data manipulation, malware distribution, or disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/rse/admin/controller/faculty_controller.php' with the 'new_image' parameter containing a file, such as a PHP script. This can be done using tools like cURL or Postman.

Remediation

It is recommended to implement strict file type validation, set file size limits, store uploaded files outside the web root, rename files upon upload, and conduct regular security audits.