Project Worlds Online Time Table Generator Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability exists in Project Worlds Online Time Table Generator version 1.0, specifically within the file '/student/updateprofile.php'. This issue arises from the file upload feature, which fails to properly validate the types and extensions of uploaded files. As a result, attackers can upload malicious PHP scripts, which are then executed by the server, leading to remote code execution. The vulnerability can be exploited remotely, and the details have been publicly disclosed.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential to install a web shell, execute arbitrary commands, and access or modify sensitive data. Additionally, the vulnerability could be used to launch a denial-of-service attack against the application or server.

Reproduction

To reproduce this vulnerability, upload a file through the 'pic' parameter in a POST request to '/student/updateprofile.php'. The server will store the file in a user-specific directory without proper sanitization, allowing the uploaded file to be accessed and executed via HTTP.

Remediation

Users are advised to implement proper input validation and filtering for uploaded files, ensuring that only expected file types are accepted. Filenames should be sanitized to remove potentially dangerous elements, and uploaded files should be stored in a directory that is not accessible via the web or configured to prevent script execution. Server settings can be adjusted to disable PHP execution in upload directories.