CVE-2021-46013
📋 TL;DR
This vulnerability allows attackers to upload arbitrary PHP files to the school management software's upload directory, enabling remote code execution. Attackers can execute system commands on the web server by accessing the uploaded webshell. All users of Sourcecodester Free School Management Software 1.0 are affected.
💻 Affected Systems
- Sourcecodester Free School Management Software
📦 What is this software?
Free School Management Software by Free School Management Software Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to internal networks, and maintain persistent access.
Likely Case
Attackers upload webshells to execute commands, deface websites, steal sensitive student/administrative data, and potentially use the server for further attacks.
If Mitigated
If proper file upload validation and directory restrictions are in place, attackers cannot upload malicious files or access them if uploaded.
🎯 Exploit Status
Exploit requires no authentication and uses simple file upload with PHP webshell payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server to only allow specific safe file extensions and block PHP files
# In .htaccess for Apache:
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# In nginx config:
location ~* \.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
Move upload directory outside web root
allConfigure uploads to save files outside publicly accessible directory
# Change upload path in application configuration to directory outside web root
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads with PHP content
- Disable file upload functionality entirely if not required
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PHP file with simple content like <?php echo 'test'; ?> to the exam question upload endpoint and check if accessible via browser.Check Version:
Check application version in admin panel or about page, or examine source code files for version indicators.Verify Fix Applied:
Attempt same upload test - PHP files should be blocked or inaccessible if uploaded. Check that only allowed file types can be uploaded.📡 Detection & Monitoring
Log Indicators:
- File upload requests with PHP extensions
- Access to /uploads/exam_question/ directory with PHP files
- Unusual POST requests to upload endpoints
Network Indicators:
- HTTP POST requests with PHP file content to upload endpoints
- Subsequent GET requests to uploaded PHP files with cmd parameters
SIEM Query:
web.url:*uploads/exam_question/*.php OR web.method:POST AND web.url:*upload* AND web.content_type:multipart/form-data AND web.post_data:*<?php*