CVE-2024-4921: Employee Gate Pass Logging System RCE Flaw

CVE-2024-4921 Overview

CVE-2024-4921 is an unrestricted file upload vulnerability [CWE-434] in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. The flaw resides in the /employee_gatepass/classes/Users.php?f=ssave endpoint, where the img parameter accepts arbitrary file content without proper validation. Remote authenticated attackers can manipulate the parameter to upload malicious files to the web server. The vulnerability was published on May 16, 2024, and is tracked as VDB-264456. Public exploit details have been disclosed, increasing the practical risk to deployed systems.

Critical Impact

Successful exploitation allows remote attackers to upload arbitrary files through the img parameter, potentially leading to web shell deployment and further compromise of the host application.

Affected Products

• Oretnom23 / SourceCodester Employee and Visitor Gate Pass Logging System 1.0
• Vulnerable component: /employee_gatepass/classes/Users.php?f=ssave
• Vulnerable parameter: img

Discovery Timeline

• 2024-05-16 - CVE-2024-4921 published to NVD with VulDB identifier 264456
• 2025-02-10 - Last updated in NVD database

Technical Details for CVE-2024-4921

Vulnerability Analysis

The vulnerability stems from missing server-side validation in the Users.php handler when the f=ssave action is invoked. The img argument accepts file data without verifying file type, extension, MIME content, or magic bytes. Attackers can submit executable content disguised as an image and have it stored within a web-accessible directory. This pattern aligns with [CWE-434: Unrestricted Upload of File with Dangerous Type].

The attack requires network access and low privileges, with no user interaction. Because the upload occurs through a standard HTTP request, exploitation is straightforward using common tooling such as curl or browser-based form submissions. The disclosed proof-of-concept makes exploitation reproducible.

Root Cause

The root cause is the absence of allowlist-based validation on uploaded content. The application does not enforce file extension restrictions, MIME type verification, or content inspection on the img parameter. The handler writes the supplied data to disk under a predictable path, making the uploaded file directly retrievable through the web server.

Attack Vector

An attacker with an authenticated session sends a crafted POST request to /employee_gatepass/classes/Users.php?f=ssave with the img field containing a server-side script such as PHP. Once stored, the attacker requests the file through the web server, triggering execution within the application context. This yields remote command execution capability bounded by the privileges of the web server user. Technical details are documented in the public GitHub Upload Documentation and VulDB #264456 entries.

Detection Methods for CVE-2024-4921

Indicators of Compromise

• Unexpected files with executable extensions (.php, .phtml, .phar) within upload directories used by the Employee Gate Pass application
• HTTP POST requests to /employee_gatepass/classes/Users.php?f=ssave with anomalously large or non-image img payloads
• Outbound connections initiated by the web server process to unfamiliar hosts shortly after upload activity
• Web server access logs showing GET requests to newly created files in image upload paths

Detection Strategies

• Inspect web server logs for POST requests to Users.php?f=ssave followed by GET requests to files written within minutes
• Apply content-inspection rules at the web application firewall (WAF) to flag uploads where the img parameter contains PHP tags or shell metacharacters
• Hash and inventory files in the upload directory; alert when new files appear with non-image extensions or non-image magic bytes

Monitoring Recommendations

• Enable file integrity monitoring on the employee_gatepass web root, especially writable upload directories
• Forward web server and PHP error logs to a centralized analytics platform for correlation with process and network telemetry
• Monitor the web server process for unexpected child processes such as sh, bash, nc, or python that indicate web shell execution

How to Mitigate CVE-2024-4921

Immediate Actions Required

• Restrict network access to the Employee and Visitor Gate Pass Logging System to trusted internal networks until a patch is applied
• Disable PHP execution within the upload directory by configuring the web server to treat the path as static content only
• Audit upload directories for unauthorized files and remove any artifacts that do not match valid image content
• Rotate credentials for accounts that had access to the application during the exposure window

Patch Information

No vendor patch has been published for this issue in the data sources reviewed. The product, SourceCodester Employee and Visitor Gate Pass Logging System 1.0, is a small open-source project from oretnom23. Operators should treat the deployment as unsupported and apply compensating controls. Track updates through VulDB CTI Information #264456 for any vendor response.

Workarounds

• Implement an allowlist of accepted file extensions (for example, .jpg, .png, .gif) and validate the file's magic bytes server-side before persisting it
• Rename uploaded files to random identifiers and strip user-supplied extensions to prevent direct script execution
• Store uploaded content outside the web root and serve it through a controlled handler that sets a non-executable content type
• Deploy a WAF rule that blocks uploads containing strings such as <?php, <?=, or system( within the img parameter

# Apache configuration example to disable PHP execution in the upload directory
<Directory "/var/www/html/employee_gatepass/uploads">
    php_flag engine off
    AddType text/plain .php .phtml .php3 .php4 .php5 .phar
    <FilesMatch "\.(php|phtml|phar)$">
        Require all denied
    </FilesMatch>
</Directory>