1000projects.org Online Student Project Report Submission and Evaluation System Unrestricted File Upload Vulnerability

A file upload vulnerability allowing unrestricted file types has been identified in the 1000projects Online Student Project Report Submission and Evaluation System version 1.0. The issue resides in the '/rse/admin/controller/student_controller.php' file, where the 'new_image' parameter lacks proper validation, enabling attackers to upload arbitrary files, including malicious scripts. This vulnerability can be exploited remotely without authentication, potentially leading to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows attackers to upload malicious scripts that could be executed on the server, potentially leading to unauthorized access, data manipulation, malware distribution, or disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/rse/admin/controller/student_controller.php' with the 'new_image' parameter containing a file, such as a PHP script. This can be done using a tool like cURL.

Remediation

It is recommended to implement strict file type validation, set file size limits, store uploaded files outside the web root, rename uploaded files to ensure uniqueness, and conduct regular security audits.