Gym Management System Project v1.0 - Insecure File Upload

Summary

Vulnerability

Description

Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

Vulnerability

The 'file' parameter of the profile/i.php page resource does not validate the contents, extension and type of the file uploaded as a book image, leading to an arbitrary file upload which can be abused to obtain Remote Code Execution. The vulnerable code is located at profile/i.php page:

 <div class="col-md-4" style="width:100px;"> <?php if($row['pic'] == 0) { ?> <img src="../img/thumb.png" width="100px" height="100px"><br><br> <form method="POST" action="../upload.php?id=<?php echo $row['id']; ?>" enctype="multipart/form-data"> <input type="file" name="file" style="color: transparent;" accept="image/x-png, image/gif, image/jpeg"><br> <input type="submit" value="upload" name="pupload"> </form> <?php } else if($row['pic'] == 1){ ?> <img src="../upload/<?php echo $row['picName']; ?>" width="100px" height="100px"> <?php } ?> </div>

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-5185 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Gym Management System Project v1.0
• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://projectworlds.in/

Timeline