Code-Projects Library Management System Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Code-Projects Library Management System version 2.0. The issue resides in the file '/admin/student_edit_photo.php', where the 'photo' argument can be manipulated to bypass file type and content validation. This vulnerability can be exploited remotely, and public knowledge of the exploit exists.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious scripts that can be executed on the server. For example, an uploaded web shell could be used to gain full control over the system, execute commands, and access sensitive data.

Reproduction

To reproduce this vulnerability, authenticate to the application using the default admin credentials. Then, send a POST request to '/admin/student_edit_photo.php' with a crafted 'photo' parameter that includes a PHP file disguised as an image. Once the file is uploaded, it can be accessed through the web server and executed, allowing for command execution via the uploaded web shell.

Remediation

To address this vulnerability, it is recommended to implement proper file upload validation by whitelisting allowed file types, inspecting file contents, and storing uploaded files in non-executable directories. Additionally, web application firewall (WAF) rules can be applied to block uploads containing AntSword-specific payloads.