campcodes Online Student Enrollment System Unrestricted File Upload Vulnerability

A critical unrestricted file upload vulnerability has been identified in campcodes Online Student Enrollment System version 1.0. The issue resides in the /admin/register.php file, where the photo argument can be manipulated to bypass file type and content validation. This vulnerability allows remote attackers to upload malicious PHP scripts, such as AntSword webshells. Once the webshells are uploaded, attackers can gain full control over the target system by executing commands, browsing the file system, and stealing sensitive data.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to the execution of malicious scripts on the server. In this case, uploaded webshells can be used to execute system commands, access sensitive data, and potentially escalate privileges or move laterally within a network.

Reproduction

To reproduce this vulnerability, send a POST request to /admin/register.php with the photo parameter containing a PHP file disguised as an image. The server's lack of proper file validation will allow the upload. After successfully uploading the file, it can be accessed through the web server, and if it is a webshell, commands can be executed via a tool like AntSword.

Remediation

To address this vulnerability, implement strict file upload validations by whitelisting allowed file types, verifying MIME types, and inspecting file contents. Additionally, store uploaded files in non-web-accessible directories and set appropriate directory permissions to prevent execution of uploaded scripts.