Maho E-commerce Platform Remote Code Execution Vulnerability via Malicious File Upload

A remote code execution vulnerability exists in the Maho e-commerce platform, specifically in version 25.7.0. The issue arises when an authenticated staff user, with access to the Dashboard and Catalog Manage Products permissions, creates a custom product option that includes a file input field. By uploading files with a .php extension, the user can execute malicious PHP scripts on the server. This vulnerability exploits the application's file upload feature, bypassing standard restrictions and allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, with the executed code running under the web server's user privileges.

Reproduction

To reproduce this vulnerability, log into the Maho admin dashboard as a user with the necessary permissions. Navigate to a product listing and create a custom option with a file upload field, allowing .php files. After saving the option, upload a reverse shell PHP file through the custom option on the product page. Once the file is uploaded, calculate its location on the server and access it via HTTP to execute the PHP payload.

Remediation

Users are advised to update to Maho version 25.9.0, where this vulnerability has been patched.