CVE-2022-43061 - Online Tours & Travels Management System v1. Arbitrary File Upload Vulnerability in Travellers Component

A critical vulnerability (CVE-2022-43061) in Online Tours & Travels Management System v1. has been discovered, which potentially allows attackers to execute arbitrary code on the victim's server. This vulnerability exists in the /operations/travellers.php component and is caused by unvalidated file uploads by authenticated users. An attacker can exploit this vulnerability to upload and execute malicious PHP files on the server, leading to further attacks such as data theft, server takeover, and complete system compromise.

The following code snippet from /operations/travellers.php shows the vulnerability

if (isset($_FILES['image_upload']['name'])) {
    // Sanitize and validate file name
    $file_name = basename($_FILES['image_upload']['name']);

    // Create destination with proper path
    $upload_directory = "../uploads/travellers/";
    $destination = $upload_directory . $file_name;

    // Move the uploaded file to the destination
    if (move_uploaded_file($_FILES['image_upload']['tmp_name'], $destination)) {
      [...]
    } else {
        // Handle upload error
        [...]
    }
}

As seen in the above code, file uploads are managed by directly moving the uploaded file to the destination directory without validating the file type. This allows an attacker to upload an arbitrary PHP script, which can be executed once it is stored on the server.

Exploit Details

To exploit this vulnerability, an attacker would first need to gain authenticated access to the Tours & Travels Management System as a regular user. Then, they can craft a malicious PHP file and upload it using the interface provided for traveler profile images.

Upon successful upload, the malicious file will be stored in the /uploads/travellers/ directory. By navigating to the directory and directly accessing the uploaded file, the attacker can execute the malicious code, leading to arbitrary code execution on the server.

Mitigation Steps

To mitigate this vulnerability, developers of Online Tours & Travels Management System should implement proper server-side file validation and only allow specific file types (such as images) to be uploaded. Moreover, user inputs should be sanitized and validated to prevent potential security vulnerabilities.

Additionally, system administrators should configure file upload directories to prevent direct execution of uploaded files. One simple method is to store uploaded files with non-executable extensions (e.g., .jpg instead of .php). Another method is to store uploads outside the webroot, so that they cannot be directly accessed through URLs.

References

1. Online Tours & Travels Management System v1. source code
2. CVE-2022-43061 - National Vulnerability Database (NVD)

Conclusion

The arbitrary file upload vulnerability (CVE-2022-43061) in the Online Tours & Travels Management System v1. exposes the affected systems to significant security risks. Identifying and addressing this vulnerability is crucial for developers and system administrators who are responsible for implementing and maintaining Secure Development Life Cycle (SDLC) practices. Users of the Tours & Travels Management System should remain vigilant and apply security patches as soon as they become available.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:58:00 UTC