CVE-2024-8089 Overview
CVE-2024-8089 is an unrestricted file upload vulnerability in SourceCodester (Janobe) E-Commerce System 1.0. The flaw resides in the /ecommerce/admin/products/controller.php script, where the photo parameter accepts arbitrary file types without validation. An authenticated remote attacker with low privileges can upload malicious files, including server-side scripts, leading to potential code execution on the host. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed instances. This issue is tracked under CWE-434: Unrestricted Upload of File with Dangerous Type.
Critical Impact
Remote attackers can upload arbitrary files via the photo parameter, enabling webshell deployment and full compromise of the application backend.
Affected Products
- Janobe E-Commerce System 1.0
- SourceCodester E-Commerce System (distribution)
- Deployments using /ecommerce/admin/products/controller.php
Discovery Timeline
- 2024-08-23 - CVE-2024-8089 published to NVD
- 2024-08-27 - Last updated in NVD database
Technical Details for CVE-2024-8089
Vulnerability Analysis
The vulnerability exists in the product administration controller at /ecommerce/admin/products/controller.php. The script processes file uploads through the photo parameter without enforcing MIME type, extension, or content validation. An attacker authenticated with low-level administrative access can submit a multipart request containing a PHP file disguised or named as an image. The web server then stores the uploaded file within a web-accessible directory, allowing direct execution by requesting its URL. Successful exploitation yields arbitrary command execution within the privileges of the web server user. The disclosed public proof-of-concept lowers the barrier for opportunistic exploitation against exposed deployments.
Root Cause
The root cause is missing input validation on file upload handling. The application does not verify the file extension allowlist, MIME type, or magic bytes before persisting the uploaded photo to disk. This omission, classified as [CWE-434], permits dangerous file types to reach an executable directory. The EPSS probability is 0.107% with a percentile rank of 28.4 as of 2026-05-26.
Attack Vector
The attack is remote and requires authenticated low-privilege access to the admin product management interface. An attacker sends a crafted HTTP POST request to /ecommerce/admin/products/controller.php containing a server-side script in the photo field. Once uploaded, the attacker accesses the file directly via its URL to invoke execution. See the public technical writeup at the GitHub Vulnerability Report for request details.
Detection Methods for CVE-2024-8089
Indicators of Compromise
- HTTP POST requests to /ecommerce/admin/products/controller.php containing multipart payloads with non-image extensions in the photo field.
- Newly created .php, .phtml, or .phar files within the application's product image upload directory.
- Outbound network connections originating from the web server process to unrecognized hosts after admin file upload activity.
- Unexpected web server worker processes spawning shell interpreters such as /bin/sh, bash, or cmd.exe.
Detection Strategies
- Monitor web access logs for POST requests to the vulnerable endpoint correlated with subsequent GET requests to files in the upload directory.
- Deploy file integrity monitoring on upload directories to alert on creation of executable script files.
- Inspect uploaded file content for PHP tags (<?php) or shell directives regardless of file extension.
- Apply WAF rules that reject multipart uploads whose declared content type does not match the actual file magic bytes.
Monitoring Recommendations
- Centralize web server, PHP-FPM, and application logs in a SIEM for correlation across upload and execution events.
- Alert on web server processes executing system binaries or initiating outbound connections post-upload.
- Track authentication events to the admin panel and flag low-privilege accounts performing file upload operations.
How to Mitigate CVE-2024-8089
Immediate Actions Required
- Restrict access to /ecommerce/admin/products/controller.php via network ACLs or authentication enforcement until a fix is applied.
- Remove script execution permissions on the product image upload directory at the web server level.
- Audit existing files in upload directories and remove any unauthorized scripts.
- Rotate administrative credentials and review admin account activity for unauthorized uploads.
Patch Information
No official vendor patch has been published for Janobe E-Commerce System 1.0 at the time of disclosure. Operators should consult the SourceCodester Security Resource and the VulDB entry for vendor advisories or updates. Until a fix is released, implement compensating controls below.
Workarounds
- Implement server-side validation enforcing an allowlist of image extensions (.jpg, .jpeg, .png, .gif) and validate file magic bytes.
- Store uploaded files outside the web root and serve them through a controlled handler that sets non-executable content types.
- Configure the web server to disable PHP execution within the upload directory using directives such as php_flag engine off or equivalent.
- Deploy a Web Application Firewall rule that blocks multipart uploads containing PHP tags in the photo field.
# Apache configuration example to disable script execution in upload directory
<Directory "/var/www/ecommerce/admin/products/uploads">
php_flag engine off
AddType text/plain .php .phtml .phar .php3 .php4 .php5 .php7
Options -ExecCGI
<FilesMatch "\.(php|phtml|phar|php[3-7])$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
