ProjectsAndPrograms School Management System Unauthenticated File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the ProjectsAndPrograms School Management System, specifically in version 1.0 prior to the commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue resides in the 'changeSllyabus.php' file, where the 'file' parameter can be manipulated to upload malicious PHP scripts. This vulnerability can be exploited remotely, leading to remote code execution on the server with the privileges of the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential to execute arbitrary operating system commands. This could result in a complete compromise of the server, including access to the application database and any sensitive information it contains, such as personal data of students and staff, academic records, and system credentials. Additionally, the vulnerability could be used to disrupt services or modify website content, causing reputational damage to the affected institution.

Reproduction

To reproduce this vulnerability, send a POST request to '/assets/changeSllyabus.php' without any authentication. Include the 'file' parameter in the request, uploading a PHP file containing a web shell payload. Once the file is uploaded, it can be accessed through the '/syllabusUploads/' directory, where the uploaded PHP script can be executed by passing commands through the 'pass' parameter.

Remediation

Users are advised to implement access controls to restrict the 'changeSllyabus.php' endpoint to authenticated users only. Additionally, file validation measures should be introduced to restrict uploads to safe file types, validate file content using MIME type checks, and rename uploaded files to prevent direct execution. It is also recommended to store uploaded files outside the web root or configure the web server to deny execution in the upload directory.