ProjectsAndPrograms School Management System Unauthenticated File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the ProjectsAndPrograms School Management System, specifically in versions through commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue resides in the file '/assets/createNotice.php', where the 'file' parameter can be manipulated to upload malicious PHP scripts. This vulnerability can be exploited remotely, leading to remote code execution on the server with the privileges of the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential to execute arbitrary operating system commands. This could result in a complete compromise of the server, including access to the application database and any sensitive information it contains, such as personal data of students and staff, academic records, and system credentials. Additionally, the vulnerability could be used to disrupt services, modify or delete website content, or as a foothold for further network attacks.

Reproduction

To reproduce this vulnerability, send a POST request to '/assets/createNotice.php' without any authentication. Include the 'file' parameter in the request, attaching a PHP file that contains malicious code, such as a web shell. The server will save the uploaded file in the '/notesUploads/' directory, where it can be accessed and executed via HTTP.

Remediation

It is recommended to restrict access to the '/assets/createNotice.php' endpoint to authenticated users only. Implement file validation by whitelisting safe file extensions, checking file content using MIME type validation, and renaming uploaded files to prevent direct execution. Additionally, store uploaded files outside the web root or configure the web server to deny execution in the upload directory.