SourceCodester Pizzafy Ecommerce System Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability in SourceCodester Pizzafy Ecommerce System version 1.0 allows for unrestricted file uploads, leading to remote code execution. The issue arises in the 'save_menu' function of the 'admin_class_novo.php' file, where the application fails to validate file types before moving uploaded images to a publicly accessible directory. An authenticated administrator can exploit this vulnerability by uploading a PHP web shell disguised as an image, which can then be executed to run commands on the server.

Impact

Exploitation of this vulnerability allows authenticated administrators to upload arbitrary PHP files to the server, execute OS-level commands, read sensitive files such as database credentials, establish a reverse shell for persistent access, and fully compromise the underlying server.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the menu management page. Upload a file named 'shell_web2.php' containing a PHP web shell payload as the menu image. Once uploaded, the web shell will be accessible through the assets directory, where directory listing is enabled. After locating the uploaded shell, it can be executed by sending commands via the 'cmd' parameter.