SourceCodester Pizzafy Ecommerce System Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in SourceCodester Pizzafy Ecommerce System version 1.0. The issue arises in the index.php file, where the application fails to properly validate the 'page' parameter. This flaw allows for null byte injection, bypassing file extension restrictions and enabling the inclusion of arbitrary files. The vulnerability can be exploited remotely, potentially leading to information disclosure or even remote code execution through log poisoning.

Impact

Exploitation of this vulnerability could allow an attacker to include arbitrary files, such as server logs, which could be used to execute injected PHP code, leading to remote code execution. Additionally, the vulnerability could be used to access sensitive information from logs, such as user activities and session details.

Reproduction

To reproduce this vulnerability, access the Pizzafy application and navigate to the index.php file. Append a traversal payload to the 'page' parameter, targeting a file outside the web root, such as the Apache access log. The application will attempt to include the specified file, confirming the vulnerability.

Remediation

To address this vulnerability, implement input validation to restrict the 'page' parameter to predefined values. Normalize paths to ensure they remain within the intended directory, and update the PHP environment to a version that does not allow null byte injection. Avoid using user input directly in file inclusion functions.