Campcodes Retro Basketball Shoes Online Store Unrestricted File Upload Vulnerability

A critical unrestricted file upload vulnerability has been identified in Campcodes Retro Basketball Shoes Online Store version 1.0. The issue resides in the admin_product.php file, where the product_image argument can be manipulated to bypass file type and content validation. This vulnerability allows remote attackers to upload malicious PHP scripts, such as web shells, which can be used to gain full control over the affected system by executing commands, accessing the file system, and stealing sensitive information.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can lead to the execution of malicious scripts on the server. This could result in a complete compromise of the web application and potentially the underlying server, depending on the web server's configuration and the privileges of the web server user.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Campcodes Retro Basketball Shoes Online Store version 1.0. Navigate to the product management section and upload an image file through the product_image parameter. The uploaded file should be a PHP script containing a web shell, such as an AntSword web shell, encoded in a way that bypasses the application's file type restrictions. Once the file is uploaded, it can be accessed through the web server, and a connection can be established using the AntSword client to execute commands on the server.

Remediation

It is recommended to implement proper file upload validation by whitelisting allowed file types, verifying MIME types, and inspecting file contents to detect executable scripts. Additionally, uploaded files should be stored in a non-web-accessible directory with execution permissions disabled.