Online Course Registration 1.0 - Unauthenticated Remote Code Execution

vendor:

Online Course Registration

by:

Bobby Cooke

9.8

CVSS

HIGH

Unauthenticated Remote Code Execution

284

CWE

Product Name: Online Course Registration

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:online_course_registration:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18

2020

Online Course Registration 1.0 – Unauthenticated Remote Code Execution

This exploit allows an attacker to gain access to the webshell of the Online Course Registration 1.0 application. The exploit is based on a similar authentication bypass on the admin page, which was discovered by BKpatron. The attacker can then use the webshell to execute arbitrary commands on the server.

Mitigation:

Ensure that authentication is properly implemented and enforced for all pages and functions of the application.

Source

Online Course Registration 1.0 – Unauthenticated Remote Code Execution

Mitigation:

Exploit-DB raw data: