cbcvebase.
CVE-2018-18793
published 2018-11-16

CVE-2018-18793: School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.50%
94.8th percentile
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.

Affected

1 ranges
VendorProductVersion rangeFixed in
school_event_management_system_projectschool_event_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/event/controller.php?action=photos
path/event/controller.php
path/event/photo/
filenamephpinfo_gif.php
  • Detect POST requests to the vulnerable endpoint with a multipart/form-data body containing a PHP file disguised with a GIF magic-byte prefix (GIFefe) as the upload payload.
  • Alert on GET/POST requests to event/controller.php with the query parameter action=photos, which is the sole upload trigger for this vulnerability.
  • Monitor the web-accessible upload directory /event/photo/ for newly created .php (or other executable) files, which would indicate successful webshell placement.
  • Flag multipart file uploads where Content-Type is set to application/force-download rather than a legitimate image MIME type, used here to bypass server-side type checks.
  • The application uses getimagesize() on the uploaded file but does not enforce a safe file extension, allowing a PHP file prefixed with the fake GIF header 'GIFefe' to pass validation.
  • ·The vulnerable software is School Event Management System version 1.0 only; the upload path prefix [PATH] is installation-dependent and must be adjusted for each deployment.
  • ·The exploit was tested on a Windows 7 x64 host running Apache/2.4.25 with PHP/5.6.30; behaviour on other OS/PHP version combinations may differ.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.