Listen to this Post
The vulnerability resides in the `removefile` function within /app/controllers/FilehelperController.php. This function accepts a user-controlled `filepath` parameter without adequate sanitization or validation. An attacker can remotely send HTTP requests with manipulated `filepath` arguments, such as excessively long strings, directory traversal sequences, or references to critical system files. When processed, the application attempts to handle this input, leading to resource exhaustion—like consuming all available memory or CPU cycles. This occurs because the function may enter an infinite loop, attempt to delete non-existent files recursively, or trigger fatal errors that crash the PHP process. The lack of input filtering allows arbitrary path injection, causing the web server to become unresponsive. As the function is accessible without proper authentication, unauthorized users can repeatedly trigger this flaw. The denial-of-service condition prevents legitimate users from accessing the management system, disrupting operations. The exploit leverages the application’s failure to enforce path constraints or timeouts, making it easy to launch sustained attacks. Public exploit code likely crafts POST or GET requests targeting the vulnerable endpoint, overwhelming the server.
Platform: SourceCodester Pre-School System
Version: 1.0
Vulnerability: Denial of Service
Severity: Medium
date: 11/23/2025
Prediction: Patch expected December
What Undercode Say:
Analytics
curl -X POST -d “filepath=../../../etc/passwd” http://target/app/controllers/FilehelperController.php
curl -X POST -d “filepath=$(python3 -c ‘print(“A”10000)’)” http://target/endpoint
find /var/www/html -name “FilehelperController.php” -exec grep -l “removefile” {} \;
python3 -c “import requests; requests.post(‘http://target/path’, data={‘filepath’:’/’})”
bash script to send repeated requests: for i in {1..1000}; do curl -s http://target/vuln > /dev/null; done
How Exploit:
Craft HTTP request with malicious filepath parameter.
Send repeated requests to trigger resource exhaustion.
Use public exploit to target unpatched systems remotely.
Manipulate filepath to point to system root directories.
Exploit requires low privileges via web interface.
Protection from this CVE Impact:
Apply vendor patch immediately.
Implement input validation for filepaths.
Restrict access to administrative functions.
Use web application firewall rules.
Monitor server logs for anomalous requests.
Disable vulnerable controller if possible.
Update to latest software version.
Limit PHP execution time and memory.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
