CVE-2002-1798 in MidiCart PHP
Summary
by MITRE
MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/01/2025
The vulnerability identified as CVE-2002-1798 affects MidiCart PHP products including PHP Plus and PHP Maxi, presenting critical security risks through improper access controls and file upload mechanisms. This vulnerability stems from inadequate input validation and authentication checks within the administrative interfaces of these e-commerce platforms. The flaw allows remote attackers to exploit direct access points to perform unauthorized actions that could compromise the entire system.
The technical implementation of this vulnerability involves two primary attack vectors that demonstrate poor security design principles. The first vector permits arbitrary PHP file uploads through direct requests to admin/upload.php, which represents a classic insecure file upload vulnerability. This flaw enables attackers to bypass normal upload restrictions and execute malicious code on the server. The second vector exposes sensitive credit card information through direct access to admin/credit_card_info.php, indicating inadequate access controls and information disclosure issues. Both attack paths exploit the lack of proper authentication mechanisms and authorization checks, allowing unauthenticated remote access to privileged administrative functions.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with complete administrative control over affected systems. Successful exploitation of the file upload vulnerability enables attackers to deploy web shells, backdoors, or other malicious payloads that can persist on the server and maintain access. The information disclosure component threatens financial data security, potentially exposing sensitive credit card information and customer data. These combined effects represent a severe compromise of system integrity, confidentiality, and availability, as attackers can both gain persistent access and extract valuable data. The vulnerability affects the core functionality of e-commerce platforms, potentially leading to financial losses, regulatory violations, and reputational damage for affected organizations.
Mitigation strategies for CVE-2002-1798 should focus on implementing robust access controls and input validation measures. Organizations must ensure that administrative interfaces require proper authentication and authorization before granting access to sensitive functions. File upload mechanisms should implement strict file type validation, content inspection, and secure storage practices to prevent malicious file execution. The vulnerability aligns with CWE-434 which addresses insecure file upload, and CWE-200 which covers information exposure. From an ATT&CK framework perspective, this vulnerability maps to T1190 for Exploit Public-Facing Application and T1071 for Application Layer Protocol, demonstrating how attackers can leverage web application flaws to achieve persistent access and data exfiltration. Organizations should immediately apply vendor patches, implement network segmentation, and conduct thorough security audits of all administrative interfaces to prevent exploitation of these critical flaws.