CVE-2024-12956 Overview
CVE-2024-12956 is an unrestricted file upload vulnerability in 1000 Projects Portfolio Management System MCA 1.0. The flaw resides in /add_achievement_details.php, where the ach_certy parameter accepts attacker-controlled files without proper validation. Remote attackers with low-level authenticated access can exploit this issue over the network to upload arbitrary files to the web server. Public disclosure of the exploit has occurred, increasing risk to exposed deployments. The weakness is classified under improper access control [CWE-284].
Critical Impact
Authenticated remote attackers can upload arbitrary files through the ach_certy parameter, potentially leading to web shell deployment and server compromise.
Affected Products
- 1000 Projects Portfolio Management System MCA 1.0
- Component: /add_achievement_details.php
- Parameter: ach_certy
Discovery Timeline
- 2024-12-26 - CVE-2024-12956 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2024-12956
Vulnerability Analysis
The vulnerability stems from improper handling of file uploads in the /add_achievement_details.php endpoint. The application accepts files submitted through the ach_certy argument without verifying file type, extension, or content. This allows an authenticated attacker to upload executable scripts such as PHP files to a web-accessible directory.
Once uploaded, attackers can request the file directly through the web server, triggering server-side execution. This typically results in arbitrary code execution under the privileges of the web server process. The Portfolio Management System MCA is a PHP-based application, making web shell uploads a direct path to host compromise.
The weakness aligns with [CWE-284] Improper Access Control, reflecting missing authorization and validation checks on the file upload handler. Attackers do not require complex preconditions; the attack is network-based with low complexity and low privilege requirements.
Root Cause
The root cause is the absence of server-side validation on the ach_certy upload parameter. The application fails to enforce allowlists for file extensions, MIME type verification, or content inspection before persisting uploaded files to disk. Storing uploads inside the document root compounds the issue by making them directly callable via HTTP.
Attack Vector
An attacker authenticates to the application with any low-privilege account, then submits a crafted multipart POST request to /add_achievement_details.php containing a malicious file in the ach_certy field. The server writes the file to a predictable location within the web root. The attacker then requests the uploaded file by URL to trigger execution.
Technical details on the exploit are available in the GitHub CVE Portfolio Project and the VulDB entry.
Detection Methods for CVE-2024-12956
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .phar) in upload directories used by the Portfolio Management System
- HTTP POST requests to /add_achievement_details.php containing multipart payloads with non-image content in the ach_certy field
- Outbound network connections initiated by the web server process to unfamiliar hosts following upload activity
- Web server access logs showing direct GET requests to uploaded filenames shortly after a POST to the upload endpoint
Detection Strategies
- Monitor web server logs for POST requests to /add_achievement_details.php and correlate with subsequent GET requests to newly created files in upload paths
- Deploy file integrity monitoring on directories writable by the web server to flag new executable files
- Inspect HTTP request bodies at a web application firewall (WAF) for file uploads where the Content-Type or magic bytes do not match an expected image format
Monitoring Recommendations
- Alert on PHP process spawning shell utilities such as sh, bash, nc, or python from within web upload directories
- Review authentication logs for newly created or low-privilege accounts being used to access the achievement details functionality
- Track filesystem events on the web root and quarantine files with mismatched extension and content type
How to Mitigate CVE-2024-12956
Immediate Actions Required
- Restrict network access to the Portfolio Management System MCA 1.0 application until a vendor patch is applied
- Disable or remove the /add_achievement_details.php endpoint if the achievement feature is not required
- Audit the upload directory for unauthorized files and remove any unrecognized scripts
- Rotate credentials for all application accounts, particularly any that may have been used to authenticate to the vulnerable endpoint
Patch Information
No vendor patch has been published at the time of writing. Refer to the 1000Projects Resource Hub for any future updates from the vendor. Organizations should treat the deployment as unsupported and apply compensating controls.
Workarounds
- Configure the web server to deny execution of scripts within upload directories, for example by disabling PHP handlers in those paths
- Implement a reverse proxy or WAF rule that blocks multipart uploads to /add_achievement_details.php containing non-image MIME types
- Enforce strict file type allowlists at the application boundary and validate magic bytes server-side
- Move uploaded files outside the web root and serve them through a controlled download handler that sets a non-executable Content-Type
# Example Apache configuration to disable PHP execution in upload directory
<Directory "/var/www/html/portfolio/uploads">
php_admin_flag engine off
AddType text/plain .php .phtml .phar
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
