CVE-2024-2930 Overview
A critical unrestricted file upload vulnerability has been discovered in SourceCodester Music Gallery Site version 1.0. This vulnerability exists in the file classes/Master.php?f=save_music endpoint, which fails to properly validate uploaded files, allowing attackers to upload arbitrary files including malicious scripts. Successful exploitation of this vulnerability could lead to remote code execution on the affected web server.
Critical Impact
Attackers can upload malicious PHP files to the web server, potentially gaining complete control over the application and underlying system through remote code execution.
Affected Products
- SourceCodester Music Gallery Site 1.0
- oretnom23 music_gallery_site 1.0
Discovery Timeline
- 2024-03-27 - CVE-2024-2930 published to NVD
- 2025-02-18 - Last updated in NVD database
Technical Details for CVE-2024-2930
Vulnerability Analysis
This vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) allows remote attackers to bypass file upload restrictions in the Music Gallery Site application. The save_music function in Master.php fails to implement proper server-side validation of uploaded file types, extensions, and content. An attacker can exploit this weakness to upload web shells or other malicious scripts that execute with the privileges of the web server process, potentially leading to full system compromise.
Root Cause
The root cause lies in the inadequate input validation within the file upload handling mechanism. The Master.php script's save_music function does not:
- Validate file extensions against a whitelist of allowed types
- Check MIME types or file content signatures
- Implement proper filename sanitization
- Restrict upload directories or execution permissions
This allows an attacker to upload files with executable extensions (such as .php) that will be processed by the web server when accessed.
Attack Vector
The attack can be launched remotely without authentication. An attacker crafts a malicious HTTP POST request to the classes/Master.php?f=save_music endpoint, including a payload file disguised as music content. Since the application lacks proper file type validation, the malicious file (e.g., a PHP web shell) is stored on the server. The attacker can then access the uploaded file directly via the web server, triggering code execution.
The vulnerability enables attackers to upload arbitrary files through the music upload functionality. By submitting a crafted request to the vulnerable endpoint with a malicious PHP payload, attackers can establish a web shell on the target server. For technical details, refer to the GitHub vulnerability disclosure.
Detection Methods for CVE-2024-2930
Indicators of Compromise
- Presence of unexpected PHP files in upload directories (typically /uploads/ or similar)
- Web server access logs showing requests to newly created PHP files in upload directories
- Suspicious POST requests to classes/Master.php?f=save_music with unusual file types
- Unexpected outbound network connections from the web server process
Detection Strategies
- Monitor web server logs for POST requests to Master.php containing f=save_music parameter followed by requests to files in upload directories
- Implement file integrity monitoring on web application directories to detect unauthorized file additions
- Deploy web application firewalls (WAF) with rules to detect malicious file upload attempts
- Review uploaded files for PHP tags or other executable content
Monitoring Recommendations
- Enable detailed logging for the web application upload functionality
- Configure alerts for new executable files created in web-accessible directories
- Monitor process execution chains for web server processes spawning shell commands
- Implement real-time file scanning on upload directories
How to Mitigate CVE-2024-2930
Immediate Actions Required
- Remove or disable the Music Gallery Site application if not critical to operations
- Restrict access to the classes/Master.php endpoint via web server configuration
- Audit upload directories for any suspicious or recently created files
- Implement IP-based access restrictions for administrative functions
Patch Information
As of the last NVD update on 2025-02-18, no official vendor patch has been released for this vulnerability. Organizations using SourceCodester Music Gallery Site 1.0 should consider implementing the workarounds below or migrating to alternative software solutions. Monitor the VulDB entry for updates on patch availability.
Workarounds
- Implement server-side file extension whitelisting (allow only audio file types like .mp3, .wav, .ogg)
- Add MIME type validation to verify uploaded files match expected audio content
- Store uploaded files outside the web root or in directories with execution disabled
- Rename uploaded files to random strings and strip original extensions
- Implement authentication requirements for the upload functionality
# Apache configuration to disable PHP execution in upload directory
<Directory "/var/www/html/uploads">
php_admin_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
