CVE-2024-8170 Overview
CVE-2024-8170 is an unrestricted file upload vulnerability in SourceCodester Zipped Folder Manager App version 1.0. The flaw resides in the /endpoint/add-folder.php script, where manipulation of the folder argument allows attackers to upload arbitrary files. The vulnerability is exploitable remotely and requires only low-privilege authentication. A public proof-of-concept has been disclosed, increasing the risk of opportunistic exploitation against exposed instances. The weakness maps to [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
Remote attackers with low-level access can upload arbitrary files through /endpoint/add-folder.php, potentially enabling further attacks against the hosting environment.
Affected Products
- SourceCodester Zipped Folder Manager App 1.0
- Rems Zipped Folder Manager App (rems:zipped_folder_manager_app:1.0)
- Deployments exposing the /endpoint/add-folder.php endpoint
Discovery Timeline
- 2024-08-26 - CVE-2024-8170 published to NVD
- 2024-08-27 - Last updated in NVD database
Technical Details for CVE-2024-8170
Vulnerability Analysis
The vulnerability exists in the file upload handler implemented in /endpoint/add-folder.php. The application accepts user-supplied input through the folder argument without enforcing restrictions on file type, extension, or content. Attackers can submit crafted HTTP requests that include executable or otherwise dangerous payloads in place of expected archive data.
Because the application is a PHP-based folder management tool, uploaded files placed within the webroot can be requested directly by the attacker. This turns an unrestricted upload into a pathway for serving attacker-controlled content from the host. The exploit has been disclosed publicly through a GitHub proof-of-concept, lowering the barrier to weaponization.
Root Cause
The root cause is missing server-side validation of uploaded content in the add-folder.php endpoint. The script does not verify MIME type, file extension allowlists, or magic-byte signatures before persisting the file. There is also no evidence of randomized storage paths or execution prevention on the upload directory.
Attack Vector
The attack is performed over the network against the HTTP interface of a vulnerable installation. An authenticated user with low privileges submits a POST request to /endpoint/add-folder.php with a manipulated folder parameter referencing a malicious file. The server stores the file, after which the attacker can interact with it through subsequent HTTP requests. Technical exploitation details are documented in the public proof-of-concept available on GitHub PoC File Upload and the VulDB CVE Analysis #275769.
Detection Methods for CVE-2024-8170
Indicators of Compromise
- Unexpected files written to directories used by the Zipped Folder Manager App, particularly files with executable extensions such as .php, .phtml, or .phar.
- HTTP POST requests to /endpoint/add-folder.php containing non-archive payloads or unusual folder parameter values.
- Outbound network connections originating from the web server process shortly after upload activity.
Detection Strategies
- Inspect web server access logs for POST /endpoint/add-folder.php entries from unexpected sources or with anomalous payload sizes.
- Apply file integrity monitoring across web-accessible directories to flag the creation of new server-side scripts.
- Correlate authentication events with upload activity to identify low-privileged accounts performing administrative-style actions.
Monitoring Recommendations
- Forward web server, authentication, and file-system telemetry to a centralized analytics platform for cross-source correlation.
- Alert on web shell behaviors such as a PHP interpreter spawning shell processes from within upload directories.
- Track repeated requests to /endpoint/add-folder.php from a single source as a potential automated exploitation attempt.
How to Mitigate CVE-2024-8170
Immediate Actions Required
- Restrict network access to the Zipped Folder Manager App until a vendor fix is available, limiting exposure to trusted administrators only.
- Audit existing upload directories for unexpected files and remove any artifacts that cannot be attributed to legitimate activity.
- Rotate credentials for accounts with access to the application, since exploitation requires low-level authentication.
Patch Information
No vendor advisory or official patch is referenced in the NVD record at the time of publication. Operators tracking the issue should monitor SourceCodester Security Resources and the VulDB #275769 entry for updates. Where no patched release is available, organizations should consider replacing the application with a maintained alternative.
Workarounds
- Place the /endpoint/add-folder.php endpoint behind a web application firewall rule that blocks non-archive content types and dangerous extensions.
- Configure the web server to disable script execution within upload destinations, for example by serving them as static content only.
- Enforce an allowlist of permitted file extensions and validate magic bytes before persisting any uploaded file.
# Apache configuration to disable PHP execution in the upload directory
<Directory "/var/www/zipped-folder-manager/uploads">
php_admin_flag engine off
AddType text/plain .php .phtml .phar
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
