Critical File Upload Flaw in Pizza Ordering Systems: What Indian Restaurants Must Know

What Happened

A critical vulnerability (CVE-2023-2246) has been discovered in SourceCodester's Online Pizza Ordering System version 1.0. The flaw exists in the admin/ajax.php file, specifically in the save_settings action, where the img parameter accepts unrestricted file uploads without proper validation.

This means an attacker can upload any file type—malware, web shells, backdoors—directly to your server by crafting a simple HTTP POST request to the vulnerable endpoint. No authentication bypass required, no complex exploit chain. Just a malicious file, and your entire system is compromised.

The vulnerability was disclosed publicly, meaning exploit code is now available in attacker toolkits. If your restaurant or food delivery business is running this software, automated bots are likely already scanning for vulnerable instances.

Why This Matters for Indian Businesses

If you're running a restaurant, cloud kitchen, or food delivery aggregator in India, this vulnerability directly affects you.

Direct Business Impact

Your ordering system is the front door to your revenue. A successful attack means customer data breach (names, phone numbers, addresses, order history), service downtime, ransomware deployment, and lasting reputational damage. In India's competitive food delivery market, a single breach covered on social media can permanently damage customer trust.

DPDP Act Compliance Risk

Under India's Digital Personal Data Protection (DPDP) Act, 2023, you must protect customer personal data with reasonable security measures and notify CERT-In within 6 hours of discovering a breach. Running a system with a publicly disclosed critical vulnerability — without patching — constitutes negligence under the Act.

Payment Gateway Compliance

If you accept credit or debit cards, you must comply with PCI DSS. A compromised system risks payment gateway access revocation and the inability to process cards until full remediation.

Supply Chain Risk

If you use this software as a vendor for larger aggregators, they conduct security audits. A known unpatched CVE can result in contract termination or mandatory security assessments.

Technical Breakdown

The Vulnerability Mechanics

The flaw is in /admin/ajax.php with action=save_settings. The vulnerable code pattern:

<?php
// VULNERABLE CODE - DO NOT USE
if ($_GET['action'] == 'save_settings') {
    if (isset($_FILES['img'])) {
        $upload_dir = '/uploads/';
        $filename = $_FILES['img']['name'];  // DANGEROUS: User input, no validation
        move_uploaded_file($_FILES['img']['tmp_name'], $upload_dir . $filename);
        echo "File uploaded successfully";
    }
}
?>

No file type validation. No extension whitelist. No MIME type checking. An attacker can upload .php shell scripts, .sh scripts, or any executable and access it directly from the web.

Attack Flow

graph TD
    A[Attacker identifies vulnerable site] -->|POST malicious file| B[/admin/ajax.php?action=save_settings]
    B -->|No validation, file stored| C[shell.php in /uploads/]
    C -->|GET /uploads/shell.php?cmd=whoami| D[Web shell executes on server]
    D -->|Read config files| E[Database credentials extracted]
    E -->|Connect to DB| F[Customer data exfiltrated]
    D -->|Alternative path| G[Ransomware deployed]
    G -->|Encrypt files| H[Business disrupted]
    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

What an Attacker Does with Access

Once a PHP web shell is uploaded, the attacker can:

1. Read database configuration files and extract credentials
2. Dump the entire customer database
3. Install persistent backdoors
4. Deploy ransomware across the server
5. Modify website content to inject malware targeting your customers

How to Protect Your Business

Immediate Actions

Check for signs of compromise:

# Look for PHP files in the upload directory (there shouldn't be any)
find /var/www/html/uploads -name "*.php" -o -name "*.phtml" -o -name "*.php5"

# Check for recently created files
find /var/www/html/uploads -type f -newermt "$(date -d '7 days ago' +%Y-%m-%d)" -ls

# Review recent access log entries for the vulnerable endpoint
grep "ajax.php" /var/log/apache2/access.log | grep "save_settings"

Disable the vulnerable endpoint if you can't patch immediately:

# Nginx
location ~ /admin/ajax\.php {
    deny all;
}

# Apache .htaccess
<FilesMatch "ajax\.php">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Secure File Upload Implementation

<?php
// SECURE FILE UPLOAD HANDLER
if ($_GET['action'] == 'save_settings' && isset($_FILES['img'])) {
    // 1. Whitelist allowed extensions
    $allowed_extensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
    $file_extension = strtolower(pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION));
    
    if (!in_array($file_extension, $allowed_extensions)) {
        die('Invalid file type');
    }
    
    // 2. Check MIME type (not just extension)
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mime_type = finfo_file($finfo, $_FILES['img']['tmp_name']);
    finfo_close($finfo);
    
    $allowed_mimes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'];
    if (!in_array($mime_type, $allowed_mimes)) {
        die('Invalid MIME type');
    }
    
    // 3. Rename file (prevent extension manipulation)
    $new_filename = 'img_' . uniqid() . '.' . $file_extension;
    
    // 4. Enforce file size limit
    if ($_FILES['img']['size'] > 5 * 1024 * 1024) {
        die('File too large');
    }
    
    // 5. Store outside webroot if possible
    $upload_dir = '/var/uploads/'; // Not accessible via HTTP
    move_uploaded_file($_FILES['img']['tmp_name'], $upload_dir . $new_filename);
    echo json_encode(['status' => 'success', 'file' => $new_filename]);
}
?>

Disable PHP Execution in Upload Directories

# Disable PHP execution in the uploads directory
echo 'php_flag engine off' > /var/www/html/uploads/.htaccess

# Nginx: block PHP execution in uploads
location /uploads {
    location ~ \.php$ {
        deny all;
    }
}

Set Security Headers

header("Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");

File Upload Security Checklist for Indian SMBs

How Bachao.AI Helps Detect This

Bachao.AI by Dhisattva AI Pvt Ltd automates detection of unrestricted file upload vulnerabilities as part of VAPT scanning. For a system like the one affected by CVE-2023-2246, the scan would:

1. Identify all file upload endpoints across your application
2. Test each endpoint with crafted payloads (PHP files with image MIME headers, polyglot files)
3. Verify whether uploaded files are executable from the web
4. Flag CVE matches with severity ratings and OWASP category mapping
5. Provide a DPDP Act-aligned risk report documenting the customer data exposure

Action Plan

This week:

1. [ ] Check if you're running SourceCodester Online Pizza Ordering System v1.0
2. [ ] Search for PHP files in your upload directories
3. [ ] Review access logs for ajax.php?action=save_settings requests

1. [ ] Replace all file upload code with validated, MIME-checking handlers
2. [ ] Disable PHP execution in upload directories
3. [ ] Run a VAPT scan to identify other injection and upload flaws

1. [ ] Subscribe to CERT-In advisories for open-source software you use
2. [ ] Monitor upload directories for unexpected file types
3. [ ] Train developers on OWASP File Upload Security guidelines

Frequently Asked Questions

What is an unrestricted file upload vulnerability? An unrestricted file upload vulnerability is a flaw where a web application accepts uploaded files without validating their type, content, or extension. This allows attackers to upload executable files (PHP shells, scripts) that the server then runs, giving the attacker remote code execution.

What is CVE-2023-2246? CVE-2023-2246 is a critical unrestricted file upload vulnerability (CVSS 9.8) in SourceCodester Online Pizza Ordering System v1.0. The img parameter in admin/ajax.php?action=save_settings accepts files of any type without validation, enabling unauthenticated remote code execution.

Does this require authentication to exploit? No. The endpoint is accessible without authentication, making this a no-prerequisites exploit. Any internet-accessible instance is exposed.

What Indian regulations does this affect? Under India's DPDP Act 2023, running a known vulnerable system without patching constitutes a failure of "reasonable security measures." Under CERT-In Directions 2022, any resulting breach requires notification within 6 hours.

How do I know if my server has been compromised? Look for unexpected PHP files in your upload directories, unusual outbound network connections, and anomalous entries in your web server access logs. If you find any of these, isolate the server immediately and contact CERT-In.

What should I do first — patch or investigate? Both simultaneously. Disable the vulnerable endpoint immediately, check for signs of compromise in parallel, and patch as soon as a stable version is available.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform by Dhisattva AI Pvt Ltd, DPIIT Recognized Startup. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.