CVE-2024-30849 Overview
CVE-2024-30849 is an arbitrary file upload vulnerability affecting Sourcecodester Complete E-Commerce Site version 1.0. This vulnerability allows remote attackers to execute arbitrary code by exploiting the filename parameter in the admin/products_photo.php endpoint. The flaw stems from improper input validation (CWE-98), enabling attackers to upload malicious files that can be executed on the server, potentially leading to complete system compromise.
Critical Impact
Remote attackers can achieve arbitrary code execution on vulnerable systems without authentication, potentially leading to full server compromise, data theft, and lateral movement within the network.
Affected Products
- Donbermoy Complete E-Commerce Site v1.0
- All installations using the admin/products_photo.php functionality
- Web servers hosting this e-commerce application
Discovery Timeline
- 2024-04-05 - CVE-2024-30849 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2024-30849
Vulnerability Analysis
This arbitrary file upload vulnerability exists in the product photo upload functionality of the Complete E-Commerce Site application. The admin/products_photo.php endpoint fails to properly validate the filename parameter, allowing attackers to upload files with arbitrary extensions, including executable PHP scripts. Once uploaded, these malicious files can be accessed directly through the web server, resulting in remote code execution.
The vulnerability is particularly severe because it can be exploited remotely over the network without requiring authentication or user interaction. Successful exploitation grants attackers the ability to execute arbitrary commands with the privileges of the web server process, potentially compromising confidentiality, integrity, and availability of the entire system.
Root Cause
The root cause of this vulnerability is improper file path handling (CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program). The application fails to implement adequate server-side validation on uploaded files, including:
- Missing file type/extension whitelisting
- Absence of content-type verification
- Lack of filename sanitization
- No restriction on executable file uploads
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can craft a malicious HTTP request to the admin/products_photo.php endpoint with a specially crafted filename parameter containing a PHP web shell or other malicious payload. The exploitation flow typically involves:
- Crafting a malicious file (e.g., PHP web shell) disguised with an allowed extension or exploiting the filename parameter directly
- Uploading the malicious file through the vulnerable endpoint
- Accessing the uploaded file via direct URL to trigger code execution
- Executing arbitrary commands on the compromised server
For detailed technical information about this vulnerability, refer to the GitHub Issue Report.
Detection Methods for CVE-2024-30849
Indicators of Compromise
- Suspicious file uploads to the product photo directories with .php, .phtml, or other executable extensions
- Unexpected PHP files appearing in upload directories
- Web shell signatures in server logs or file system
- Unusual outbound connections from the web server process
- Access logs showing direct requests to recently uploaded files in product photo directories
Detection Strategies
- Implement file integrity monitoring on web application upload directories
- Monitor HTTP POST requests to admin/products_photo.php for suspicious filename patterns
- Deploy web application firewalls (WAF) with rules to detect file upload attacks
- Analyze web server access logs for sequential upload-then-execute patterns
- Use intrusion detection systems to identify web shell communication patterns
Monitoring Recommendations
- Enable verbose logging on the web server and application layer
- Set up alerts for new executable files created in upload directories
- Monitor for process spawning from web server processes (e.g., www-data or apache spawning shells)
- Implement network monitoring for C2 communication patterns
- Regularly audit uploaded files for malicious content
How to Mitigate CVE-2024-30849
Immediate Actions Required
- Remove or disable the admin/products_photo.php functionality if not critical to operations
- Implement strict file upload validation including extension whitelisting (allow only image formats like .jpg, .png, .gif)
- Add server-side content-type verification using magic bytes/file signatures
- Store uploaded files outside the web root or in a directory with execution disabled
- Review and remove any suspicious files from upload directories
Patch Information
At the time of this writing, no official vendor patch has been released for this vulnerability. Organizations using Sourcecodester Complete E-Commerce Site v1.0 should implement the workarounds below and consider migrating to a more actively maintained e-commerce platform. Monitor the vendor's repository and security channels for any future patches.
Workarounds
- Configure the web server to disable PHP execution in upload directories using .htaccess or server configuration
- Implement application-level file upload validation with strict whitelisting
- Use a separate domain or subdomain for serving user-uploaded content
- Deploy a web application firewall with file upload attack signatures
- Restrict access to the admin panel through IP whitelisting or VPN
# Apache configuration to disable PHP execution in uploads directory
# Add to .htaccess in the uploads folder or server configuration
<Directory "/var/www/html/uploads">
php_admin_flag engine off
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
</Directory>
# Nginx configuration alternative
location ~* /uploads/.*\.php$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
