CVE-2024-10413 Overview
CVE-2024-10413 is an unrestricted file upload vulnerability in SourceCodester Online Hotel Reservation System 1.0, developed by Janobe. The flaw resides in the upload function within /guest/update.php, where the image parameter accepts arbitrary file content without validation. Attackers can exploit this issue remotely over the network with only low privileges required. Public disclosure of the exploit details has occurred through VulDB and a GitHub proof-of-concept repository. The weakness is classified under [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
Remote authenticated attackers can upload arbitrary files through the image parameter of /guest/update.php, potentially leading to web shell deployment and server compromise.
Affected Products
- Janobe Online Hotel Reservation System 1.0
- SourceCodester distribution of Online Hotel Reservation System
- Component: /guest/update.php upload handler
Discovery Timeline
- 2024-10-27 - CVE-2024-10413 published to the National Vulnerability Database (NVD)
- 2024-10-29 - Last updated in NVD database
Technical Details for CVE-2024-10413
Vulnerability Analysis
The vulnerability stems from missing file type and content validation in the upload function inside /guest/update.php. The application accepts user-supplied data via the image argument and writes the content to the server filesystem without verifying extension, MIME type, or signature.
An authenticated attacker with guest-level credentials can submit a crafted multipart form request containing executable content. Because the application stores the file in a location accessible by the web server, the uploaded artifact can be requested directly to trigger server-side execution.
The issue maps to [CWE-434], a common pattern in PHP applications that rely on client-supplied filename metadata rather than server-side inspection. The EPSS probability is 0.145%, with a percentile of 34.358 as of the May 2026 dataset.
Root Cause
The update.php script trusts the file extension and MIME type provided by the HTTP client. It performs no allowlist check against image-only formats and no magic-byte verification. The script also fails to randomize the destination filename or place uploads outside the web root, leaving stored content directly addressable through the browser.
Attack Vector
The attack vector is network-based and requires low privileges, typically a registered guest account. The attacker submits a POST request to /guest/update.php with a multipart payload where the image field contains a .php or polyglot file. After upload, the attacker requests the stored file URL to execute commands. No user interaction is required.
No verified proof-of-concept code is included in this advisory. Public documentation of the exploitation steps is available in the GitHub Vulnerability Documentation and VulDB CTI ID #281954.
Detection Methods for CVE-2024-10413
Indicators of Compromise
- Presence of files with executable extensions (.php, .phtml, .phar) inside upload directories used by the Online Hotel Reservation System
- HTTP POST requests to /guest/update.php containing Content-Type: multipart/form-data and an image field with non-image content
- New or modified files in guest profile image directories that were not created through normal application workflows
- Outbound network connections originating from the PHP-FPM or Apache worker process to unfamiliar destinations
Detection Strategies
- Inspect web access logs for POST requests to /guest/update.php followed by GET requests to the upload destination directory
- Apply file integrity monitoring on web root directories to flag new server-executable files
- Use a web application firewall (WAF) rule to inspect uploaded file signatures and block non-image magic bytes on the image parameter
- Correlate authentication events with upload activity to identify low-privileged guest accounts performing unexpected actions
Monitoring Recommendations
- Forward Apache, Nginx, and PHP error logs to a centralized analytics platform for retention and correlation
- Alert on process creation events where the web server parent spawns sh, bash, cmd.exe, or scripting interpreters
- Track guest accounts that perform repeated updates to profile images within short time windows
How to Mitigate CVE-2024-10413
Immediate Actions Required
- Restrict access to /guest/update.php at the web server or reverse proxy layer until a patched build is available
- Audit all upload directories for unauthorized PHP files and remove any artifacts that do not match expected image formats
- Reset credentials for guest accounts and review recent authentication logs for suspicious sign-ins
- Disable PHP execution in directories used to store user-supplied uploads through web server configuration
Patch Information
No vendor patch is currently listed for Janobe Online Hotel Reservation System 1.0. Administrators should monitor the SourceCodester Security Resources page for updated releases. Refer to VulDB #281954 for tracking of vendor response status.
Workarounds
- Implement server-side allowlist validation that checks both file extension and magic bytes before storing uploads
- Rename uploaded files to randomized identifiers and serve them through a controller that sets Content-Disposition: attachment
- Configure Apache with a <Directory> block that sets php_admin_flag engine off for the uploads path
- Place upload storage outside the document root and proxy access through a script that validates ownership
# Configuration example: disable PHP execution in upload directory (Apache)
<Directory "/var/www/html/uploads">
php_admin_flag engine off
AddType text/plain .php .phtml .phar .php3 .php4 .php5
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
