CVE-2021-42669 – This CVE describes a critical file upload vulne... (How to Fix)

Q: What is the severity of CVE-2021-42669?

CVE-2021-42669 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical file upload vulnerability in Sourcecodester Engineers Online Portal that allows attackers to upload PHP webshells to execute arbitrary commands on the web server. The vulnerability affects all users of the vulnerable software version and can lead to complete system compromise. Attackers can exploit this without authentication by uploading malicious files through the teacher avatar functionality.

📋 TL;DR

This CVE describes a critical file upload vulnerability in Sourcecodester Engineers Online Portal that allows attackers to upload PHP webshells to execute arbitrary commands on the web server. The vulnerability affects all users of the vulnerable software version and can lead to complete system compromise. Attackers can exploit this without authentication by uploading malicious files through the teacher avatar functionality.

💻 Affected Systems

Products:

Sourcecodester Engineers Online Portal

Versions: All versions prior to patch (specific version unknown)

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable PHP files installed and accessible via web server.

📦 What is this software?

Engineers Online Portal by Engineers Online Portal Project

View all CVEs affecting Engineers Online Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining root/system-level access, data exfiltration, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Web server compromise leading to data theft, defacement, cryptocurrency mining, or use as part of a botnet.

🟢

If Mitigated

Limited impact with proper file upload validation and directory restrictions preventing malicious file execution.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable remotely without authentication on internet-facing systems.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist demonstrating remote code execution via simple file upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. Replace vulnerable files with patched versions. 3. Remove any uploaded malicious files from /admin/uploads/ directory.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file upload validation to only allow image files and prevent PHP execution in upload directory.

# Add to .htaccess in uploads directory:
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>
# Restrict file types in PHP:
$allowed_types = array('jpg', 'jpeg', 'png', 'gif');
$file_extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_types)) {
    die('Invalid file type');
}

Directory Access Control

all

Move upload directory outside web root or restrict access to authenticated users only.

# Move uploads directory outside web root
mv /var/www/html/admin/uploads /var/uploads
# Update code to reference new location
# Add authentication check to teacher_avatar.php
session_start();
if (!isset($_SESSION['teacher_id'])) {
    header('Location: login.php');
    exit();
}

🧯 If You Can't Patch

Disable or remove the vulnerable teacher avatar upload functionality entirely.
Implement web application firewall (WAF) rules to block file uploads containing PHP code and monitor for exploit attempts.

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a PHP file through the teacher avatar functionality at dashboard_teacher.php and check if it's accessible and executable.

Check Version:

# Check PHP files for version information
grep -r "version\|Version" /path/to/engineers-portal/ | head -5

Verify Fix Applied:

Test that PHP files cannot be uploaded or executed from the uploads directory, and verify proper file type validation is in place.

📡 Detection & Monitoring

Log Indicators:

File uploads with .php extension to /admin/uploads/
Unusual POST requests to teacher_avatar.php
Commands executed via GET parameters to files in uploads directory

Network Indicators:

HTTP requests to /admin/uploads/*.php?cmd=*
Unusual outbound connections from web server

SIEM Query:

source="web_server_logs" AND (uri_path="/admin/uploads/*.php" OR uri_path="/teacher_avatar.php") AND (method="POST" OR query_string="*cmd=*")

📊 Metadata

CVE ID: CVE-2021-42669

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: November 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/TheHackingRabbi/CVE-2021-42669 Exploit,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-42671 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html Product,Third Party Advisory
https://github.com/TheHackingRabbi/CVE-2021-42669 Exploit,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-42671 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42669, you might also want to check these: