CVE-2025-10600 Overview
A critical unrestricted file upload vulnerability has been discovered in SourceCodester Online Exam Form Submission version 1.0. The flaw exists in the /register.php file, specifically in the handling of the img parameter. This vulnerability allows remote attackers to upload arbitrary files to the server without proper validation, potentially leading to remote code execution or server compromise.
Critical Impact
Remote attackers can exploit this vulnerability to upload malicious files, including web shells, enabling unauthorized access and potential full server compromise.
Affected Products
- Janobe Online Exam Form Submission 1.0
- SourceCodester Online Exam Form Submission 1.0 (all installations using the vulnerable /register.php endpoint)
Discovery Timeline
- September 17, 2025 - CVE-2025-10600 published to NVD
- September 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-10600
Vulnerability Analysis
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control). The registration functionality in the Online Exam Form Submission application fails to properly validate uploaded files through the img parameter. Without adequate file type verification, extension filtering, or content validation, attackers can upload executable scripts disguised as legitimate image files.
The vulnerability is particularly dangerous because it can be exploited remotely without authentication, as the registration endpoint is typically publicly accessible. Once a malicious file is uploaded, an attacker can execute arbitrary code on the web server by directly accessing the uploaded file.
Root Cause
The root cause of this vulnerability lies in the application's failure to implement proper file upload security controls. The /register.php script accepts file uploads through the img parameter without performing essential validation checks, including:
- File extension verification against an allowlist
- MIME type validation
- Content-based file type detection
- Filename sanitization to prevent path traversal
This lack of input validation allows attackers to bypass any intended restrictions and upload files with dangerous extensions such as .php, .phtml, or other server-executable formats.
Attack Vector
The attack can be initiated remotely over the network. An attacker can craft a malicious HTTP POST request to the /register.php endpoint, including a specially crafted file in the img parameter. The file may contain PHP code or other server-side scripts that execute when accessed.
The exploitation process typically involves:
- Preparing a malicious PHP web shell disguised as an image file
- Sending a multipart form-data POST request to /register.php
- Including the malicious file in the img parameter
- Locating the uploaded file on the server (often in a predictable directory)
- Accessing the uploaded file to execute the embedded code
For technical details and proof-of-concept information, see the GitHub CVE Issue Discussion and VulDB Entry #324620.
Detection Methods for CVE-2025-10600
Indicators of Compromise
- Unusual files with double extensions (e.g., image.php.jpg) in upload directories
- Web shell signatures or encoded PHP code in uploaded files
- Unexpected PHP files in image upload directories
- POST requests to /register.php containing suspicious file content
Detection Strategies
- Monitor HTTP traffic to /register.php for unusual file uploads or large multipart requests
- Implement file integrity monitoring on web server upload directories
- Use web application firewall (WAF) rules to detect and block malicious file upload attempts
- Scan uploaded files for PHP code signatures or other executable content
Monitoring Recommendations
- Enable detailed logging for file upload operations and analyze for anomalies
- Configure alerts for new executable files created in web-accessible directories
- Implement real-time monitoring of web server directories for unauthorized file modifications
- Review access logs for patterns indicating exploitation attempts against registration endpoints
How to Mitigate CVE-2025-10600
Immediate Actions Required
- Disable the /register.php functionality until a patch is available
- Review and remove any suspicious files from upload directories
- Implement strict file upload validation including extension allowlisting and MIME type verification
- Configure web server to prevent execution of scripts in upload directories
Patch Information
At the time of publication, no official patch has been released by the vendor for this vulnerability. Organizations using SourceCodester Online Exam Form Submission should monitor the SourceCodester website for updates and consider implementing the workarounds below.
Workarounds
- Implement server-side file type validation by checking both file extensions and MIME types against a strict allowlist
- Configure the web server (Apache/Nginx) to disable script execution in upload directories
- Rename uploaded files to random strings and store them outside the web root
- Implement file content scanning to detect embedded code or malicious patterns
- Consider using a separate domain or subdomain for serving user-uploaded content
# Apache configuration to disable PHP execution in uploads directory
<Directory "/var/www/html/uploads">
php_admin_flag engine off
<FilesMatch "\.(php|phtml|php3|php4|php5|phps)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
