Campcodes Complete Online Learning Management System Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Campcodes Complete Online Learning Management System version 1.0. The issue arises in the 'add_lesson' function within '/application/models/Crud_model.php', where the application fails to properly validate file extensions during the lesson attachment upload process. Instead of enforcing a secure whitelist, the system renames uploaded files using an MD5 hash while blindly appending the original, user-supplied extension, such as '.php'. This vulnerability can be exploited remotely, and the uploaded files' paths are disclosed in the HTML source code, allowing for easy execution of malicious payloads.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to the execution of malicious files on the server, resulting in remote code execution and complete server compromise.

Reproduction

To reproduce this vulnerability, upload a file through the lesson attachment feature, ensuring to include a dangerous file extension such as '.php'. The application will rename the file using an MD5 hash but will append the original extension, bypassing any security measures. Once uploaded, the file's path can be retrieved from the frontend, where it is exposed in the HTML source code.