Gym Management System Project v1.0 - Insecure File Upload

Summary

NameGym Management System Project v1.0 - Insecure File Upload
Code name
ProductGym Management System Project
Affected versionsVersion 1.0
StatePublic
Release date2023-09-28

Vulnerability

KindInsecure File Upload
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSSv3.1 Base Score9.1
Exploit availableYes
CVE ID(s)

Description

Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

Vulnerability

The 'file' parameter of the profile/i.php page resource does not validate the contents, extension and type of the file uploaded as a book image, leading to an arbitrary file upload which can be abused to obtain Remote Code Execution. The vulnerable code is located at profile/i.php page:

 <div class="col-md-4" style="width:100px;"> <?php if($row['pic'] == 0) { ?> <img src="../img/thumb.png" width="100px" height="100px"><br><br> <form method="POST" action="../upload.php?id=<?php echo $row['id']; ?>" enctype="multipart/form-data"> <input type="file" name="file" style="color: transparent;" accept="image/x-png, image/gif, image/jpeg"><br> <input type="submit" value="upload" name="pupload"> </form> <?php } else if($row['pic'] == 1){ ?> <img src="../upload/<?php echo $row['picName']; ?>" width="100px" height="100px"> <?php } ?> </div>

Evidence of exploitation

evidence1

evidence1

Our security policy

We have reserved the ID CVE-2023-5185 to refer to this issue from now on.

System Information

  • Version: Gym Management System Project v1.0
  • Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://projectworlds.in/

Timeline

Time-lapse-logo

2023-09-25

Vulnerability discovered.

Time-lapse-logo

2023-09-25

Vendor contacted.

Time-lapse-logo

2023-09-28

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.