Student Information System - File Upload
Summary
Name | Student Information System v1.0 - Insecure File Upload |
Code name | Rubinstein |
Product | Student Information System |
Vendor | Kashipara Group |
Affected versions | Version 1.0 |
State | Public |
Release date | 2023-12-06 |
Vulnerability
Kind | Insecure File Upload |
Rule | 027. Insecure File Upload |
Remote | Yes |
CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVSSv3 Base Score | 9.9 |
Exploit available | Yes |
CVE ID(s) | CVE-2023-4122 |
Description
Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
Vulnerability
The 'photo' parameter of the my-profile.php resource does not validate the contents, extension and type of the file uploaded as a profile image, leading to an arbitrary file upload which can be abused to obtain Remote Code Execution. The vulnerable code is:
if(isset($_POST['submit']))
{
var_dump($_POST);
$staffname=$_POST['studentname'];
if($_FILES["photo"]["name"]!=""){//it will upload the pic on database
$photo=$_FILES["photo"]["name"];
move_uploaded_file($_FILES["photo"]["tmp_name"],"staffphoto/".$_FILES["photo"]["name"]);//photo will move to temp folder
$ret1=mysqli_query($con,"update staff set staffPhoto='$photo' where StaffRegno='".$_SESSION['login']."'");
}
Our security policy
We have reserved the ID CVE-2023-4122 to refer to this issue from now on.
System Information
- Version: Student Information System v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://www.kashipara.com/
Timeline
2023-11-22
Vulnerability discovered.
2023-11-22
Vendor contacted.
2023-12-06
Public Disclosure.