| Title | detronetdip E-commerce 1.0 Remote Code Execution |
|---|
| Description | Severity: CRITICAL (10.0)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Bug Type: CWE-434: Unrestricted Upload of File with Dangerous Type
The application fails to enforce secure validation mechanisms on file uploads within the seller profile section. The vulnerability exists due to a chain of logic errors that allow an attacker to bypass intended restrictions:
1. Improper MIME Type Validation: The application relies exclusively on the Content-Type HTTP header ($_FILES['file']['type']) to validate the file type. This header is client-controlled and can be arbitrarily modified by an attacker to impersonate a legitimate image (e.g., image/jpeg). The server does not perform server-side content verification (such as "Magic Bytes" analysis).
2. Insecure Filename Generation: While the application attempts to rename uploaded files to randomize them, it constructs the new filename using the extension of the original uploaded file (end($temp)). It does not verify if this extension is safe for execution.
Consequently, an attacker can upload a file containing malicious PHP code (e.g., a web shell) with a .php extension. The server will accept the file because the MIME type is spoofed, rename it while preserving the .php extension, and store it in a web-accessible directory (/media/seller_profile/). When accessed via a browser, the web server executes the malicious PHP code, granting the attacker full control.
Vulnerable Files:
seller/assets/backend/profile/addadhar.php
seller/assets/backend/profile/addpan.php
seller/assets/backend/profile/addgstcfrt.php
seller/assets/backend/profile/addbscfrt.php
Vulnerable Code Analysis
File: seller/assets/backend/profile/addadhar.php
PHP Code:
// FLAW 1: The code trusts the user-supplied MIME type from the HTTP header.
// An attacker can send a PHP file but set the header to 'image/jpeg' to bypass this.
if($_FILES['file']['type']!='' && $_FILES['file']['type']!='image/jpeg' ...){
$msg="Format... Not supported";
}else{
// FLAW 2: The code extracts the extension from the user-supplied filename.
// If the file is 'shell.php', end($temp) returns 'php'.
$temp = explode(".", $_FILES["file"]["name"]);
// The new filename is constructed using the dangerous '.php' extension.
$filename = rand(111111111,999999999)... . '.' . end($temp);
$location = "../../../../media/seller_profile/".$filename;
// FLAW 3: The file is moved to a public directory without checking if the user
// is authenticated or authorized to upload files.
if(move_uploaded_file($_FILES['file']['tmp_name'],$location))
{
echo $filename;
}
} |
|---|
| Source | ⚠️ https://github.com/Nixon-H/PHP-Unrestricted-Upload-RCE |
|---|
| User | Nixon-H (UID 95173) |
|---|
| Submission | 02/04/2026 07:28 (3 months ago) |
|---|
| Moderation | 02/07/2026 10:11 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344866 [detronetdip E-commerce 1.0.0 addadhar.php File unrestricted upload] |
|---|
| Points | 20 |
|---|