Grocery CMS PHP Restful API Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability has been identified in Grocery-CMS-PHP-Restful-API version 1.3. The issue resides in the admin/add-category.php file, where users can upload files, potentially including web shells, to execute commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files such as web shells. Once uploaded, these files could be executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, first create a JPEG image and embed a PHP web shell within it. Afterward, navigate to the 'Add Category' section in the admin panel. Modify the file extension of the uploaded image to PHP using a tool like Burp Suite. Once the file is uploaded, it will be saved in the 'admin/itemimg/' directory with the original name. The uploaded web shell can then be accessed and used to execute commands on the server.

Remediation

It is recommended to implement proper validation and checks on uploaded files, such as using a whitelist to restrict allowed file types.