ashymuzuro Full-Ecommerce Website and Muzuro Ecommerce System Unrestricted File Upload Vulnerability

A file upload vulnerability has been identified in ashymuzuro Full-Ecommerce Website and Muzuro Ecommerce System versions through 1.1.0. The issue resides in the Add Product Page, specifically within the file /admin/index.php?add_product. This vulnerability allows for unrestricted file uploads, as the application does not enforce proper file type or size restrictions. The flaw can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, enabling the upload of malicious files such as web shells or other types of malware that can be executed on the server.

Reproduction

To reproduce this vulnerability, log into the admin backend using an account with access. Navigate to the Add Product Page and use the file upload feature to upload a PHP Trojan file. The application will accept the file without any type verification or size limitations, successfully exploiting the vulnerability.