Open eClass File Upload Validation Bypass Vulnerability Allowing Prohibited File Extensions

A file upload validation bypass vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows attackers to upload files with disallowed extensions by embedding them in ZIP archives and using the application's built-in extraction feature to decompress the files on the server. The issue has been patched in version 4.2.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, bypassing extension-based restrictions. While the uploaded files are not executed, they are stored on the server, potentially leading to further security risks.

Reproduction

To reproduce this vulnerability, create a file with a prohibited extension, such as 'shell.php', and compress it into a ZIP archive. Upload the ZIP file to the application without enabling automatic extraction. After the upload, use the application's interface to manually extract the contents of the archive. The prohibited file will be extracted and saved in the target directory.

Remediation

Users are advised to update to Open eClass version 4.2 or later.