Phpgurukul Online Course Registration Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing arbitrary file upload has been identified in Phpgurukul Online Course Registration version 3.1. This issue arises within the profile picture upload feature on the '/my-profile.php' page. The application fails to properly validate or filter uploaded files, enabling authenticated users to upload malicious PHP scripts that can be executed on the server. This flaw could lead to remote code execution, allowing attackers to execute arbitrary commands on the server by accessing the uploaded files.

Impact

Exploitation of this vulnerability allows for remote code execution on the server. Uploaded malicious files can be executed via the web, leading to a full compromise of the server, including application data and potentially allowing for lateral movement and privilege escalation.

Reproduction

To reproduce this vulnerability, log into the application as a student and navigate to the '/my-profile.php' page. Intercept the profile picture upload request using a proxy tool like Burp Suite. Change the file extension to '.php' and insert malicious PHP code, such as a WebShell, into the file. After uploading the file, access it through the '/studentphoto/' directory and execute commands by sending a POST request with the appropriate parameters.

Remediation

Users are advised to implement strict server-side validation of uploaded files, allowing only specific file types such as images. Additionally, uploaded files should be stored outside the web root, execution of scripts in upload directories should be disabled, and files should be renamed to prevent direct access.