CVE-2024-5047 Overview
A critical unrestricted file upload vulnerability has been discovered in SourceCodester Student Management System version 1.0. The vulnerability exists in the /student/controller.php file, where improper validation of the photo parameter allows attackers to upload arbitrary files without proper security controls. This flaw enables remote attackers to potentially upload malicious scripts or executables to the web server, which could lead to remote code execution, complete system compromise, or further exploitation of the affected environment.
Critical Impact
Remote attackers can exploit this unrestricted file upload vulnerability to upload malicious files (such as PHP web shells) through the photo parameter, potentially achieving remote code execution on the target server.
Affected Products
- SourceCodester Student Management System 1.0
- kabir-m-alhasan Student Management System 1.0
Discovery Timeline
- May 17, 2024 - CVE-2024-5047 published to NVD
- February 10, 2025 - Last updated in NVD database
Technical Details for CVE-2024-5047
Vulnerability Analysis
This vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type). The Student Management System fails to properly validate file types and content when users upload photos through the controller.php endpoint. Without adequate file type restrictions, content-type validation, or file extension checking, an attacker can upload malicious files disguised as legitimate image uploads.
The attack can be launched remotely over the network without requiring any authentication or user interaction. Once a malicious file is uploaded, the attacker may be able to execute it directly if the upload directory is web-accessible, leading to arbitrary code execution on the server.
Root Cause
The root cause of this vulnerability is the absence of proper file upload validation in the /student/controller.php file. The application does not implement essential security controls such as:
- File extension whitelist validation
- MIME type verification
- File content inspection (magic byte checking)
- Secure file storage outside the web root
- Randomized filename generation
Attack Vector
The vulnerability is exploitable over the network (AV:N) with low attack complexity. An attacker can craft a malicious HTTP POST request to the /student/controller.php endpoint, manipulating the photo parameter to upload a file containing executable code (such as a PHP web shell). If successful, the attacker can then access the uploaded file through a direct URL, executing the malicious payload and gaining control over the server.
The exploit has been publicly disclosed, increasing the risk of widespread exploitation against unpatched systems. Technical details and proof-of-concept information are available through the GitHub Unrestricted Upload Resource.
Detection Methods for CVE-2024-5047
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .php5) appearing in upload directories
- Web shell artifacts or suspicious script files in the photo upload location
- Unusual POST requests to /student/controller.php with non-image file content
- Anomalous outbound network connections originating from the web server
Detection Strategies
- Monitor HTTP POST requests to /student/controller.php for suspicious file uploads containing non-image MIME types
- Implement file integrity monitoring on web-accessible directories to detect unauthorized file creation
- Review web server access logs for direct access to recently uploaded files with executable extensions
- Deploy web application firewall (WAF) rules to block uploads of executable file types
Monitoring Recommendations
- Enable detailed logging on the Student Management System application and web server
- Configure alerts for file creation events in upload directories that don't match expected image formats
- Implement behavioral analysis to detect web shell activity patterns such as command execution or file system enumeration
- Regularly audit upload directories for files that don't conform to expected image file signatures
How to Mitigate CVE-2024-5047
Immediate Actions Required
- Restrict or disable the photo upload functionality until a patch is applied
- Implement strict file extension whitelisting to only allow image formats (.jpg, .jpeg, .png, .gif)
- Configure the web server to prevent execution of scripts in upload directories
- Review and remove any suspicious files from upload directories immediately
Patch Information
No official vendor patch has been released at the time of this writing. Organizations using SourceCodester Student Management System 1.0 should monitor the VulDB Advisory #264744 for updates and consider implementing the workarounds below to reduce exposure.
Workarounds
- Add server-side validation to check file MIME types and magic bytes before accepting uploads
- Store uploaded files outside the web root directory to prevent direct execution
- Rename uploaded files using random, non-guessable filenames without preserving original extensions
- Configure .htaccess or web server settings to deny script execution in upload directories
- Consider implementing a content delivery network (CDN) or separate storage server for uploaded media
# Apache configuration to prevent script execution in upload directory
# Add to .htaccess in the upload directory
# Disable PHP execution
<FilesMatch "\.ph(p[2-7]?|t|tml|ar|ps)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Only allow specific image file types
<FilesMatch "^.*\.(jpg|jpeg|png|gif)$">
Order Allow,Deny
Allow from all
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
