CVE-2024-8341 Overview
CVE-2024-8341 is an unrestricted file upload vulnerability in SourceCodester Petshop Management System 1.0, developed by nelzkie15. The flaw resides in /controllers/add_user.php, where the avatar parameter accepts arbitrary file uploads without validation. Remote attackers with low-privilege authenticated access can exploit this issue over the network. The exploit has been publicly disclosed, increasing the likelihood of opportunistic use against exposed deployments. The weakness is tracked as [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
An authenticated remote attacker can upload arbitrary files through the avatar parameter, potentially leading to server-side script execution and full application compromise.
Affected Products
- nelzkie15 Petshop Management System 1.0
- SourceCodester Petshop Management System (distribution)
- Deployments exposing /controllers/add_user.php over the network
Discovery Timeline
- 2024-08-30 - CVE-2024-8341 published to NVD
- 2024-09-04 - Last updated in NVD database
Technical Details for CVE-2024-8341
Vulnerability Analysis
The Petshop Management System exposes a user creation endpoint at /controllers/add_user.php. The handler accepts a multipart form upload through the avatar parameter and writes the file to a web-accessible directory. The application does not validate the file extension, MIME type, or content signature before storing the upload. An authenticated attacker can therefore upload a PHP file disguised as an avatar image and reach it through a direct HTTP request to execute server-side code.
The vulnerability is exploitable remotely with low privileges and without user interaction. Because the upload occurs through standard HTTP request flows, it does not require unusual tooling or chained primitives.
Root Cause
The root cause is the absence of input validation on file uploads in add_user.php. The code path trusts the client-supplied filename and content without enforcing an allowlist of extensions, verifying magic bytes, or storing files outside the web root. This pattern matches [CWE-434], which covers unrestricted upload of files with dangerous types.
Attack Vector
An attacker with a valid low-privilege account submits a crafted POST request to /controllers/add_user.php. The request includes an avatar field containing a .php payload. After upload, the attacker requests the stored file directly from its web-accessible location, causing the PHP interpreter to execute the payload under the web server context. Public technical details are available in the GitHub File Upload Vulnerability writeup and the VulDB entry #276220.
Detection Methods for CVE-2024-8341
Indicators of Compromise
- HTTP POST requests to /controllers/add_user.php containing avatar form fields with non-image extensions such as .php, .phtml, .phar, or .inc.
- Newly created files in the application's avatar or uploads directory with executable script extensions.
- Outbound network connections originating from the web server process shortly after avatar uploads, which may indicate webshell callbacks.
- Web access logs showing direct GET requests to uploaded avatar files followed by anomalous command-style query strings.
Detection Strategies
- Inspect web server access logs for POST requests to add_user.php paired with subsequent GETs to newly created files in the uploads directory.
- Apply file integrity monitoring on the application's upload directories to alert on creation of files with script extensions.
- Deploy web application firewall rules that block multipart uploads whose Content-Type or filename extension is inconsistent with image MIME types.
Monitoring Recommendations
- Forward web server logs to a centralized analytics platform and alert on upload endpoints serving non-image responses.
- Monitor process creation under the web server user (www-data, apache, nginx) for shell interpreters spawned by PHP.
- Track authentication events on the Petshop Management System to identify brute-forced or shared accounts used to reach the upload endpoint.
How to Mitigate CVE-2024-8341
Immediate Actions Required
- Restrict network access to the Petshop Management System administrative interface, exposing it only to trusted networks or through a VPN.
- Rotate credentials for all user accounts and audit recently created accounts on affected installations.
- Inspect the application's avatar and uploads directories for unexpected files with script extensions and remove any unauthorized artifacts.
- Disable PHP execution in upload directories at the web server level until a vendor patch is applied.
Patch Information
No vendor advisory or official patch has been published for CVE-2024-8341 at the time of NVD publication. Operators should track the VulDB entry and the SourceCodester project page for updates, and consider replacing the application if no fix becomes available.
Workarounds
- Add server-side validation in /controllers/add_user.php to allowlist image extensions (.jpg, .jpeg, .png, .gif) and verify file magic bytes before saving.
- Store uploaded avatars outside the web root and serve them through a controller that sets a safe Content-Type header.
- Configure Apache or Nginx to deny execution of PHP files within the uploads directory using directives such as php_admin_flag engine off or removing the PHP handler for that path.
- Place the application behind a web application firewall with rules blocking script-extension uploads on the avatar field.
# Nginx configuration example: deny script execution in the uploads directory
location ~* ^/uploads/.*\.(php|phtml|phar|inc)$ {
deny all;
return 403;
}
location /uploads/ {
location ~ \.php$ {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
