Project Worlds Online Time Table Generator Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability exists in Project Worlds Online Time Table Generator version 1.0, specifically within the file '/admin/updatestudent.php'. This vulnerability allows for unrestricted file uploads by manipulating the 'pic' argument, enabling the upload of malicious PHP scripts. The server executes these scripts in a publicly accessible directory, potentially leading to a complete system compromise. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the uploaded file being executed as a PHP script. This could lead to a full system compromise, including the installation of a web shell, bypassing of security controls, and potential damage to the application's reputation.

Reproduction

To reproduce this vulnerability, upload a file through the 'pic' field in the '/admin/updatestudent.php' page. The file will be stored in 'student/image/[email]/', where '[email]' is the email address provided in the 'eid' parameter. Once uploaded, the file can be accessed via HTTP, allowing for remote code execution.