A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.
PHPGurukul Online Course Registration versions up to 3.1 are vulnerable to unrestricted file upload, allowing attackers to upload malicious files via the /admin/edit-student-profile.php page. This can lead to remote code execution (RCE), potentially compromising the entire server and sensitive data. The exploit is publicly available, increasing the risk of widespread exploitation.
Step 1: Access the Vulnerable Page: The attacker navigates to the /admin/edit-student-profile.php page, typically requiring administrator credentials (which may be obtained through other means).
Step 2: Craft the Malicious Payload: The attacker creates a malicious file (e.g., a PHP script) that, when executed, will perform actions like creating a reverse shell, stealing data, or installing malware. This file is crafted to appear as a valid image file (e.g., a GIF or JPEG) to bypass initial checks.
Step 3: Upload the Malicious File: The attacker uses the photo parameter in the edit-student-profile.php form to upload the crafted malicious file. The application, due to the vulnerability, fails to properly validate the file type or content.
Step 4: Trigger Code Execution: The attacker then accesses the uploaded file, which is now stored on the server. This can be achieved by knowing the upload path or through other vulnerabilities. The server then executes the malicious code within the uploaded file, granting the attacker control.
The vulnerability stems from insufficient validation of the photo parameter in the /admin/edit-student-profile.php file. The application fails to properly sanitize or validate the uploaded file's type, content, or size. This allows an attacker to upload a malicious file, such as a PHP script, disguised as an image. When the application later processes or accesses this uploaded file, the malicious code is executed, leading to RCE. The root cause is a missing or inadequate file type validation and content validation mechanism. The lack of proper input sanitization and output encoding further exacerbates the issue, allowing for the execution of arbitrary code.