CVE-2024-12951 Overview
CVE-2024-12951 is an unrestricted file upload vulnerability in 1000 Projects Portfolio Management System MCA 1.0. The flaw resides in the /add_personal_details.php script, where the profile parameter accepts arbitrary file content without validation. Remote attackers with low privileges can exploit this issue over the network to upload files of their choosing. The exploit details have been disclosed publicly, increasing the risk of opportunistic abuse against exposed instances. The weakness is categorized under [CWE-284] Improper Access Control and affects confidentiality, integrity, and availability at a limited scope.
Critical Impact
Authenticated remote attackers can upload arbitrary files through the profile parameter of /add_personal_details.php, enabling potential web shell deployment and follow-on compromise of the application.
Affected Products
- 1000 Projects Portfolio Management System MCA 1.0
- Component: /add_personal_details.php
- CPE: cpe:2.3:a:1000projects:portfolio_management_system_mca:1.0
Discovery Timeline
- 2024-12-26 - CVE-2024-12951 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2024-12951
Vulnerability Analysis
The vulnerability exists in the file upload handler implemented in /add_personal_details.php. The script processes the profile argument without enforcing restrictions on file type, extension, MIME content, or size. An authenticated user can submit a crafted multipart request that places executable content into a directory accessible by the web server.
Because the application is written in PHP, uploaded files with server-executable extensions can be invoked directly through HTTP requests once stored. This converts a file upload feature into a remote code execution primitive against the host. The issue is tracked under [CWE-284] Improper Access Control, reflecting the absence of authorization checks on accepted file content.
Root Cause
The root cause is the absence of allow-list validation on the profile upload parameter. The handler trusts client-supplied filenames and content types instead of verifying file headers and enforcing a strict extension policy. No server-side rewriting or sandboxed storage location is applied to uploaded artifacts.
Attack Vector
An attacker authenticates to the application with any valid low-privilege account. The attacker then issues a POST request to /add_personal_details.php with the profile field containing a PHP payload disguised as a profile image. After upload, the attacker requests the stored file path directly, triggering server-side execution. Public disclosure of the exploit details lowers the barrier for reuse. See the GitHub CVE Project Repository and VulDB #289314 entries for technical details.
Detection Methods for CVE-2024-12951
Indicators of Compromise
- Unexpected files with executable extensions such as .php, .phtml, or .phar inside profile or upload directories used by the application.
- Web server access logs showing POST requests to /add_personal_details.php followed by GET requests to newly created files in upload paths.
- Outbound network connections originating from the web server process shortly after profile updates.
Detection Strategies
- Inspect file integrity baselines for the application web root and flag any new server-executable file written by the web service account.
- Deploy web application firewall rules that block uploads where the profile parameter contains PHP tags or non-image magic bytes.
- Correlate authentication events with rapid POST-then-GET sequences against /add_personal_details.php to surface exploitation attempts.
Monitoring Recommendations
- Enable verbose HTTP logging on the application and forward logs to a centralized analytics platform for retention and search.
- Alert on web server processes spawning child processes such as sh, bash, cmd.exe, or powershell.exe.
- Monitor file system writes to web-accessible directories and validate file extensions against an approved allow-list.
How to Mitigate CVE-2024-12951
Immediate Actions Required
- Restrict network access to the Portfolio Management System MCA application until a vendor fix is available.
- Disable the profile update functionality or place /add_personal_details.php behind administrative authentication and IP allow-listing.
- Audit existing upload directories for unauthorized files and remove any artifacts that do not match expected image content.
Patch Information
No vendor advisory or official patch has been published for CVE-2024-12951 at the time of writing. Refer to the 1000 Projects site and the VulDB CTI ID #289314 record for any future updates from the maintainer.
Workarounds
- Configure the web server to deny script execution within upload directories using directives such as php_flag engine off or equivalent location-based rules.
- Add server-side validation that verifies file magic bytes and enforces an allow-list of safe extensions before persisting uploads.
- Rename uploaded files to randomized, non-executable filenames and store them outside the web root where feasible.
# Example Apache configuration to block script execution in uploads
<Directory "/var/www/html/uploads">
php_flag engine off
AddType text/plain .php .phtml .php5 .phar
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
