CVE-2024-6801 Overview
CVE-2024-6801 is an unrestricted file upload vulnerability in SourceCodester Online Student Management System 1.0. The flaw resides in the /add-students.php script, where the image parameter accepts attacker-controlled files without proper validation [CWE-434]. A remote authenticated attacker can upload arbitrary files, including server-side scripts, through the affected endpoint. The exploit details have been publicly disclosed under VulDB identifier VDB-271703, making opportunistic exploitation attempts likely against exposed instances.
Critical Impact
Remote attackers with low-privilege access can upload arbitrary files via the image parameter in /add-students.php, potentially achieving code execution on the underlying web server.
Affected Products
- SourceCodester Online Student Management System 1.0
- PHP-based deployments using the add-students.php upload handler
- Any forks or derivative projects reusing the vulnerable upload routine
Discovery Timeline
- 2024-07-17 - CVE-2024-6801 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6801
Vulnerability Analysis
The vulnerability is classified as an unrestricted file upload weakness [CWE-434]. The /add-students.php endpoint processes student record submissions that include an avatar or profile photo via the image parameter. The handler does not enforce file-type, extension, or MIME validation before writing the uploaded content to a web-accessible directory.
Because the application is PHP-based, an attacker can substitute the expected image file with a PHP script. Once the file lands in a directory served by the web server, requesting the uploaded path triggers script execution under the web server's user context. The attacker gains an interactive foothold without needing memory corruption or authentication bypass primitives.
Root Cause
The root cause is missing server-side validation of the uploaded file's content type, extension, and magic bytes. The application trusts the client-supplied filename and stores the file directly. There is no allowlist of permitted extensions and no rewriting of stored filenames to a safe, non-executable form.
Attack Vector
Exploitation is performed remotely over HTTP against an authenticated session with low privileges. The attacker submits a multipart form POST to /add-students.php with the image field set to a malicious payload such as shell.php. After upload, the attacker accesses the resulting URL to invoke the script. Refer to the public GitHub issue and VulDB entry #271703 for the disclosed proof-of-concept details.
Detection Methods for CVE-2024-6801
Indicators of Compromise
- Unexpected .php, .phtml, .phar, or double-extension files (for example image.jpg.php) within upload directories used by the application.
- Web server access logs showing POST requests to /add-students.php followed by GET requests to newly created files in image upload paths.
- New web shell artifacts containing functions such as system(), exec(), passthru(), or eval($_REQUEST[...]) inside upload folders.
Detection Strategies
- Hash and inventory all files in upload directories, then alert when non-image MIME types appear.
- Inspect HTTP POST bodies to /add-students.php for Content-Disposition filenames ending in executable extensions.
- Correlate file creation events on the web root with subsequent outbound network connections from the web server process.
Monitoring Recommendations
- Enable verbose web server access logging and forward logs to a centralized analytics platform for retention and querying.
- Monitor the PHP interpreter process for child processes spawning shells, which is atypical for image-handling workflows.
- Track authentication events to the student management portal and flag accounts that upload disproportionate numbers of files.
How to Mitigate CVE-2024-6801
Immediate Actions Required
- Restrict access to the Online Student Management System to trusted networks or place it behind a VPN until a vendor patch is available.
- Disable PHP execution within the upload directory at the web server configuration layer.
- Audit existing upload directories for previously planted web shells and remove any unauthorized files.
Patch Information
No official vendor patch has been published for SourceCodester Online Student Management System 1.0 at the time of NVD listing. Refer to the VulDB advisory and the upstream GitHub issue tracker for status updates. Organizations should evaluate whether continued use of this application is appropriate given the lack of a fix.
Workarounds
- Implement a server-side allowlist that accepts only specific image extensions such as .jpg, .png, and .gif, and verify file magic bytes before storage.
- Rename uploaded files to randomized identifiers without preserving the original extension, and store them outside the web root.
- Deploy a web application firewall rule that blocks multipart uploads to /add-students.php containing PHP tags or executable extensions.
# Configuration example: disable PHP execution in the uploads directory (Apache)
<Directory "/var/www/osms/uploads">
php_flag engine off
AddType text/plain .php .phtml .phar .php3 .php5 .php7
<FilesMatch "\.(php|phtml|phar|php3|php5|php7)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
