SourceCodester Student Result Management System Path Traversal Vulnerability Leading to Arbitrary File Deletion
Vulnerability
A critical path traversal vulnerability has been identified in SourceCodester Student Result Management System version 1.0. The issue resides in the file 'academic/core/drop_student.php', where improper validation of the 'img' parameter allows authenticated users to delete arbitrary files on the server. This exploitation can include sensitive system files, potentially leading to a denial-of-service condition or further exploitation.
Impact
Exploitation of this vulnerability allows for arbitrary file deletion on the server, including critical system files, which could disrupt normal operations or be used for further malicious activities.
Reproduction
To reproduce this vulnerability, an authenticated user can send a request to 'academic/core/drop_student.php' with a crafted 'img' parameter that includes a path traversal sequence. This request will bypass the application's file deletion validation and remove the specified file from the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.