CVE-2022-24553
Description
Zfaka <=1.4.5 lacks server-side file extension validation in background upload, allowing authenticated RCE via direct file upload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zfaka <=1.4.5 lacks server-side file extension validation in background upload, allowing authenticated RCE via direct file upload.
Vulnerability
Zfaka versions up to and including 1.4.5 contain a remote code execution vulnerability in the background file upload functionality. The only file extension check is performed client-side in JavaScript (/public/res/layui/lay/modules/upload.js); no server-side validation exists in the upload controller (/application/modules/Admin/controllers/Products.php). The upload path is predictable (/public/res/upload/ followed by the current date in Y-m-d format) and the filename is generated using the current time (His format), making the full URL of an uploaded file easily guessable [1].
Exploitation
An attacker with administrative access to the Zfaka backend can upload a malicious PHP file by sending a POST request to /Admin/products/imgurlajax with a valid product ID (pid parameter) and a Referer header pointing to the admin product edit page. The request must include the file in a multipart form. Because no server-side extension filtering is applied, a .php file is accepted and stored in the predictable upload directory. The attacker can then access the uploaded file directly via its URL to execute arbitrary PHP code [1].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary PHP commands on the web server, leading to full compromise of the application and potentially the underlying system. This includes data exfiltration, modification, or deletion, and further lateral movement within the network [1].
Mitigation
As of the publication date of the reference (February 2022), no official patch has been released for Zfaka. The vendor has not addressed the issue in any subsequent version. Until a fix is available, administrators should implement server-side file extension validation and restrict upload functionality to trusted users only. Consider disabling the upload feature if not required [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zfaka/Zfakadescription
- Range: <=1.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side file extension validation in the background file upload function allows arbitrary PHP file upload."
Attack vector
An attacker with administrative access to the Zfaka backend can upload a PHP file by disabling JavaScript (which bypasses the sole front-end JS check) and sending a crafted multipart POST request to `/Admin/products/imgurlajax` [ref_id=1]. The request must include a valid product ID (`pid`) and a `Referer` header pointing to `/Admin/products/imgurl/?id=
Affected code
The vulnerability lies in the background file upload controller at `\application\modules\Admin\controllers\Products.php`. The only validation is a client-side JavaScript check in `\public\res\layui\lay\modules\upload.js`, with no server-side filtering of file extensions [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] indicates the fix must add server-side file extension validation in the upload controller (`Products.php`) rather than relying solely on client-side JavaScript checks. Without such server-side filtering, an attacker can upload arbitrary PHP files and achieve remote code execution.
Preconditions
- authAttacker must have valid administrative credentials to access the Zfaka backend
- inputAttacker must know or brute-force the product ID (pid) parameter
- inputAttacker must include a valid Referer header pointing to the product image upload page
Reproduction
1. Log into the Zfaka admin panel and obtain a valid product ID (e.g., by selecting a product and capturing the request). 2. Disable JavaScript in the browser to bypass the client-side file extension check. 3. Send a POST request to `/Admin/products/imgurlajax` with a multipart form containing a PHP file (e.g., `test.php` with `phpinfo();`) and the `pid` field set to the valid product ID. 4. Include the `Referer: http://xxx.top/Admin/products/imgurl/?id=12` header. 5. The file is saved to `/res/upload/YYYY-MM-DD/HHMMSS.php`; use Burp Intruder to brute-force the seconds component of the filename [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/zfaka-plus/zfaka/issues/260mitrex_refsource_MISC
- www.cnblogs.com/J0o1ey/p/15858138.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.