CVE-2023-5284 - Critical Vulnerability Discovered in SourceCodester Engineers Online Portal 1.

A very critical vulnerability in the SourceCodester Engineers Online Portal 1. has recently been discovered, and is considered a severe security flaw that affects an unknown function of the file upload_save_student.php. The flaw, identified as CVE-2023-5284, can be abused by attackers, who can exploit it remotely. Researchers have publicly disclosed this vulnerability, and assigned it an identifier VDB-240912. This flaw could be devastating, as it allows for unrestricted uploading of potentially malicious files. In this post, we will discuss this issue and its severity, provide details about the exploit, and link to original references.

CVE-2023-5284 - VULNERABILITY DETAILS

The vulnerability stems from improper sanitization or checks when handling the uploaded_file argument, which is processed by the upload_save_student.php file. Attackers can manipulate this argument, tricking the application into accepting a file of their choice, potentially containing malicious payloads. These files could then compromise the application or the server itself.

Here is a sample code snippet that demonstrates this vulnerability

// Example code snipplet of the vulnerability
// Found in upload_save_student.php

$target_dir = "uploads/";
$uploaded_file = $_FILES["uploaded_file"]["name"];
move_uploaded_file($_FILES["uploaded_file"]["tmp_name"], $target_dir.$uploaded_file);

In this example, the application accepts a user-provided file without any proper validation, leaving it open to unrestricted uploaded_file manipulation.

EXPLOIT DETAILS

Exploiting this vulnerability would only require an attacker to craft and upload a malicious file using the affected feature. The attack could be performed remotely, possibly leading to severe consequences.

Further details and references regarding this vulnerability can be found at the following sources

- Vulnerability Database - VDB-240912 : A complete description of the vulnerability, with technical information and analysis.
- CVE-2023-5284 - Mitre : Official Mitre entry for this vulnerability, providing information such as CVSS scores, affected software and more.

It is crucial that developers and system administrators using SourceCodester Engineers Online Portal 1. remain vigilant in mitigating this vulnerability, as it may lead to severe security breaches. It is highly recommended to patch any affected systems and update to a version that contains a fix for this vulnerability before it can be exploited by malicious actors.

Timeline

Published on: 09/29/2023 20:15:10 UTC
Last modified on: 11/07/2023 04:23:47 UTC