A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Campcodes School File Management System 1.0 is vulnerable to a critical security flaw allowing for unrestricted file uploads via the /save_file.php endpoint. This vulnerability enables remote attackers to upload malicious files, potentially leading to remote code execution (RCE) and complete system compromise. Immediate patching and mitigation are crucial to prevent exploitation.
Step 1: Reconnaissance: The attacker identifies the target system running Campcodes School File Management System 1.0 and identifies the /save_file.php endpoint.
Step 2: Payload Creation: The attacker crafts a malicious file, such as a PHP web shell or a script designed to exploit other vulnerabilities on the server.
Step 3: Payload Delivery: The attacker uses a tool like curl or a custom script to send an HTTP POST request to /save_file.php, including the malicious file as the File argument.
Step 4: File Upload: The vulnerable script processes the request and uploads the attacker's file to a publicly accessible directory on the server, without proper validation.
Step 5: Post-Exploitation: The attacker accesses the uploaded file (e.g., the web shell) through a web browser or other means, triggering the execution of the malicious code and gaining control of the server.
The vulnerability stems from a lack of proper input validation and sanitization within the /save_file.php script when handling the File argument. The script likely fails to check the file type, size, or content, allowing attackers to upload arbitrary files, including web shells, executable scripts, or other malicious payloads. The root cause is a missing or inadequate implementation of security controls such as file extension whitelisting, file size limits, and content type validation. This allows attackers to bypass security measures and upload malicious files to the server.