ProjectsAndPrograms School Management System Unauthenticated File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the ProjectsAndPrograms School Management System, specifically in versions prior to the commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue resides in the 'editNotes.php' file, where the 'file' parameter can be manipulated to upload malicious PHP scripts. This vulnerability can be exploited remotely, with the uploaded scripts executed on the server with the same privileges as the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the web server user's privileges. This could lead to a complete compromise of the server, including access to the application database and any sensitive information it contains, such as personal data of students and staff, academic records, and system credentials. Additionally, the vulnerability could be used to disrupt services, modify or delete website content, or facilitate further network attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the '/assets/editNotes.php' endpoint without any authentication. Include the 'file' parameter in the request, attaching a PHP file that contains malicious code, such as a web shell. Once the file is uploaded, it can be accessed through the '/notesUploads/' directory, where the uploaded PHP script can be executed by passing commands through a specified parameter.

Remediation

It is recommended to implement access controls to restrict the '/assets/editNotes.php' endpoint to authenticated users only. Additionally, uploaded files should be validated to allow only safe file types, checked using MIME type verification, and renamed to prevent direct execution. Finally, uploaded files should be stored outside the web root or the web server should be configured to deny execution in the upload directory.