CVE-2024-6373 Overview
A critical unrestricted file upload vulnerability has been discovered in itsourcecode Online Food Ordering System version 1.0. This vulnerability affects the /addproduct.php file, where improper validation of the photo argument allows attackers to upload arbitrary files to the web server. The attack can be initiated remotely without authentication, potentially leading to remote code execution if an attacker uploads a malicious web shell or script.
Critical Impact
Remote attackers can upload malicious files to the server, potentially leading to complete system compromise through web shell deployment or arbitrary code execution.
Affected Products
- Kevinwong Online Food Ordering System version 1.0
- itsourcecode Online Food Ordering System up to version 1.0
Discovery Timeline
- June 27, 2024 - CVE-2024-6373 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-6373
Vulnerability Analysis
This vulnerability stems from a classic unrestricted file upload flaw (CWE-434) in the product management functionality of the Online Food Ordering System. The /addproduct.php endpoint accepts file uploads through the photo parameter without implementing proper server-side validation of file types, content, or extensions.
The lack of input validation means the application trusts user-supplied data, allowing an attacker to bypass any client-side restrictions and upload files with dangerous extensions such as .php, .phtml, or other executable file types. Once uploaded, these malicious files can be accessed directly through the web server, enabling code execution in the context of the web application.
The vulnerability is particularly concerning because it can be exploited remotely without any authentication requirements, making it accessible to any attacker with network access to the vulnerable application.
Root Cause
The root cause is improper input validation in the file upload handling logic within /addproduct.php. The application fails to:
- Validate file extensions against a whitelist of allowed image types
- Check the MIME type of uploaded files server-side
- Sanitize or rename uploaded files to prevent execution
- Store uploaded files outside the web root or in a non-executable directory
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Accessing the /addproduct.php endpoint directly
- Crafting a malicious HTTP POST request with a file upload containing a web shell or malicious script disguised as or in place of an image
- Manipulating the photo parameter to upload the malicious file
- Accessing the uploaded file through the web server to execute arbitrary commands
The vulnerability has been publicly disclosed and exploit details are available through the GitHub Issue Tracker and VulDB, increasing the risk of exploitation in the wild.
Detection Methods for CVE-2024-6373
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .asp, .jsp) in upload directories
- HTTP POST requests to /addproduct.php containing non-image file types or suspicious payloads
- Web server logs showing access to newly uploaded files with script extensions
- Unusual process spawning from web server processes (e.g., www-data user executing shell commands)
Detection Strategies
- Monitor file system changes in web application upload directories for non-image file types
- Implement web application firewall (WAF) rules to detect file upload attempts with dangerous extensions
- Review HTTP access logs for requests to /addproduct.php followed by requests to suspicious file paths
- Deploy file integrity monitoring on web server directories to detect unauthorized file creation
Monitoring Recommendations
- Enable detailed logging for all file upload operations in the web application
- Configure intrusion detection systems (IDS) to alert on web shell signatures and suspicious file uploads
- Monitor outbound network connections from web server processes for command-and-control activity
- Implement real-time alerting for new executable files created in web-accessible directories
How to Mitigate CVE-2024-6373
Immediate Actions Required
- Restrict access to /addproduct.php through IP whitelisting or authentication requirements
- Disable the file upload functionality until a patch can be applied
- Review upload directories for any existing malicious files and remove them immediately
- Implement web application firewall rules to block file uploads with executable extensions
Patch Information
No official vendor patch has been released for this vulnerability at the time of publication. Organizations using the affected Online Food Ordering System should contact the vendor or consider implementing the workarounds below. Monitor the VulDB entry for updates on available patches.
Workarounds
- Implement server-side file type validation by checking file extensions against a strict whitelist (e.g., .jpg, .jpeg, .png, .gif)
- Validate file MIME types server-side using functions like finfo_file() or getimagesize() in PHP
- Rename uploaded files to random, non-executable names and store them outside the web root
- Configure the web server to disable script execution in upload directories
- Implement authentication requirements for all product management endpoints
# Apache configuration to prevent script execution in uploads directory
<Directory "/var/www/html/uploads">
Options -ExecCGI -Indexes
AllowOverride None
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|sh|cgi)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
