CVE-2023-33569

Vulnerability

Sourcecodester Faculty Evaluation System v1.0, built with PHP and MySQL, contains an arbitrary file upload vulnerability in the /eval/ajax.php?action=update_user endpoint. The application does not properly validate the img parameter when updating a user profile, allowing an attacker to upload a PHP file instead of an image. The file is stored in the \eval\assets\uploads\ directory. Affected version is v1.0 [1].

Exploitation

An attacker must first log in with Super Admin credentials (e.g., admin@admin.com/admin123). The attacker then sends a crafted multipart POST request to ip/eval/ajax.php?action=update_user with the malicious PHP file as the img field. For example, a file named php.php containing <?php phpinfo();?> is uploaded. The request includes the user ID and other profile fields [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server by accessing the uploaded file via the web browser. This leads to full remote code execution (RCE) with the privileges of the web server, which typically includes the ability to read, write, and execute files, access databases, and compromise the entire application [1].

Mitigation

As of the publication date, no official patch or updated version has been released by the vendor. The application appears to be abandoned (last update on Sourcecodester is for v1.0). The only mitigation is to restrict network access to the application, implement strict file upload validation (whitelist extensions and MIME types), and disable PHP execution in the uploads directory via web server configuration (.htaccess or equivalent) [1].