CVE-2024-40071

Vulnerability

An arbitrary file upload vulnerability exists in Sourcecodester Online ID Generator System version 1.0. The flaw resides in the SystemSettings.php file, specifically in the update_settings action, which handles logo uploads. The application fails to validate the file type, allowing an attacker to upload a malicious PHP file. The vulnerable endpoint is /id_generator/classes/SystemSettings.php?f=update_settings [1].

Exploitation

An attacker must first authenticate as an administrator (default credentials admin/admin123). After logging in, they navigate to the system information page (/id_generator/admin/?page=system_info) and upload a PHP file (e.g., containing <?php phpinfo(); ?>) as the system logo. Upon clicking "Update", a POST request is sent to the vulnerable endpoint, and the PHP file is saved to the server [1].

Impact

Successful exploitation allows arbitrary PHP code execution on the web server. The attacker can execute system commands, access sensitive data, or compromise the entire application and underlying server. The impact is complete compromise of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2025-04-16), no official patch has been released by Sourcecodester. Users should restrict administrative access, implement strict file type validation (e.g., allow only image extensions), and consider disabling the logo upload feature if not required. The application may be end-of-life; migrating to a supported alternative is recommended [1].