Great Developers Certificate Generation System Command Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in the Great Developers Certificate Generation System, specifically in version 1.0 prior to the commit 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. The issue arises in the file /restructured/csv.php, where the 'photo' upload parameter is manipulated to inject operating system commands. This vulnerability can be exploited remotely, without authentication.

Impact

Exploitation of this vulnerability allows for full remote command execution on the server, with the executed commands running under the web user’s privileges. This could lead to a complete takeover of the server. Additionally, the vulnerability allows for arbitrary file overwriting, particularly through a Zip Slip attack, which could result in data destruction or the deployment of ransomware.

Reproduction

To reproduce this vulnerability, upload a file through the 'photo' parameter that exploits the command injection flaw. The application will execute OS commands based on the uploaded file's name and extension. For example, a .zip file could be used to inject commands by overwriting files on the server.