File Upload and CORS Exploit in Real-World Apps – Case Study from a University Portal
During a university penetration test, we uncovered two major security flaws – Unrestricted File Upload and a Misconfigured CORS Policy. Both could be exploited to gain full control over user data and the web application.
1. Vulnerability: Unrestricted File Upload
The student assignment portal allowed PDF uploads but did not properly validate file types.
Attackers could upload a disguised
.php file as a .pdf and execute it on the server.
Uploaded files were stored in a web-accessible directory with no content-disposition headers, making them executable directly in the browser.
Exploit Path: studentportal.edu/uploads/shell.php
2. Vulnerability: Misconfigured CORS Policy
The application returned overly permissive CORS headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
This configuration allowed attackers to host a malicious script on
attacker.com and steal user sessions from the portal using cross-origin requests.
How We Demonstrated the Attack
- Uploaded a controlled proof-of-concept web shell to confirm Remote Code Execution (RCE).
- Built a malicious JavaScript to steal active session cookies via CORS.
- Provided a detailed report to the university IT team with impact details.
Impact of the Vulnerabilities
- 7,000+ student records (grades, contact info) were exposed.
- Assignments could be accessed and modified by attackers.
- Administrative sessions could be hijacked remotely.
Recommendations We Provided
- Enforce strict file upload validation – check file extension, MIME type, and magic bytes.
- Host user uploads on a separate non-executable domain or CDN-style subdomain.
- Restrict CORS headers to trusted origins and avoid using
credentials: truewith wildcards.
Key Takeaway: Even educational portals hold sensitive data and must follow
secure file upload practices and proper CORS configurations
to prevent critical breaches.