Project Worlds Online Time Table Generator Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability exists in Project Worlds Online Time Table Generator version 1.0, specifically within the file '/admin/add_student.php'. This issue allows for unrestricted file uploads by manipulating the 'pic' parameter, enabling the upload of malicious files such as PHP scripts. Once uploaded, these files can be executed on the server, leading to remote code execution. The vulnerability can be exploited remotely, and details of the exploit have been publicly disclosed.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential to install a web shell, distribute malware, breach data security, and cause a denial-of-service condition. Additionally, the vulnerability could be used to bypass security controls and damage the organization's reputation.

Reproduction

To reproduce this vulnerability, access the '/admin/add_student.php' file upload form. Upload a file named 'shell.php' containing a PHP web shell payload, while also providing an email address in the 'eid' parameter. The server will store the file in a directory corresponding to the email address, without any sanitization. Once uploaded, the file can be accessed via HTTP, executing the PHP code on the server.

Remediation

It is recommended to implement proper input validation and filtering for uploaded files, ensuring that only expected file types are accepted. Filenames should be sanitized to remove potentially dangerous elements, and uploaded files should be stored in a directory that is not accessible via the web or configured to prevent script execution. Additionally, server configurations can be adjusted to restrict execution permissions in upload directories.