CVE-2024-40070

Vulnerability

The vulnerability is an arbitrary file upload issue in the id_generator/classes/Users.php script, specifically in the save action triggered by Users.php?f=save. This occurs in Sourcecodester Online ID Generator System version 1.0. An authenticated admin user can upload a PHP file (e.g., <?php phpinfo(); ?>) through the avatar upload feature. The application fails to validate the file type or restrict executable extensions, allowing any file to be saved and later accessed on the server [1].

Exploitation

An attacker must have admin credentials (default: admin/admin123) and be logged into the system. The attacker navigates to the user management page (/admin/?page=user) and uses the avatar upload functionality to select a crafted PHP file. The HTTP POST request to /id_generator/classes/Users.php?f=save includes the file in a multipart form. No additional authentication bypass is needed; the upload is performed directly with a valid session [1].

Impact

Successful exploitation allows arbitrary PHP code execution on the web server. The attacker can execute system commands, access sensitive files, modify data, or perform other malicious actions with the privileges of the web server (typically www-data or equivalent). The CIA triad is fully compromised: confidentiality, integrity, and availability are at risk [1].

Mitigation

No official patch or fixed version has been released as of the publication date (2025-04-16). The application is closed-source and unmaintained; users should consider replacing it with a secure alternative. As a workaround, restrict file uploads by adding server-side validation for file extensions and content type, and use .htaccess rules to block execution of uploaded files in the upload directory [1].