In the world of web security, file upload vulnerabilities are a serious threat. Let’s take a close look at CVE-2022-43061, a flaw in the *Online Tours & Travels Management System v1.*, which lets attackers upload and run malicious code on a vulnerable server. This post explains what went wrong, how it can be exploited, and what you can do about it.

What Is The Vulnerability?

CVE-2022-43061 is an arbitrary file upload vulnerability found in the /operations/travellers.php component of the Online Tours & Travels Management System v1.. In simple terms, the system allows users to upload files with little or no filtering. This means a hacker can upload a file containing malicious PHP code — for instance, a webshell — and then execute it on the server.

- CVE Record - CVE-2022-43061
- Exploit Details on Exploit-DB
- NVD Entry

Technical Details

The file upload happens in /operations/travellers.php. Here’s a simplified version of what vulnerable code might look like:

// File: /operations/travellers.php
if(isset($_FILES['profile_pic'])){
    $file_name = $_FILES['profile_pic']['name'];
    $file_tmp = $_FILES['profile_pic']['tmp_name'];
    move_uploaded_file($file_tmp,"uploads/".$file_name);
}

There’s no verification that the file is an image or safe.

- Files are placed directly in a web-accessible folder (uploads/).

`

http://victim-site/uploads/shell.php?cmd=whoami

Video Demonstration

Although we can’t embed a video here, you can see public exploits working on sites like YouTube: Arbitrary PHP File Upload Exploit Demo.

Pivot for deeper attacks.

It’s essentially remote code execution (RCE).

1. Check uploaded file types

$allowed_ext = ['jpg', 'jpeg', 'png', 'gif'];
$ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));
if (!in_array($ext, $allowed_ext)) {
    die("Invalid file type!");
}

2. Check MIME types

$mime = mime_content_type($file_tmp);
if (!in_array($mime, ['image/jpeg', 'image/png', 'image/gif'])) {
    die("Invalid MIME type!");
}

3. Rename files and store them outside web root
Instead of saving files in /uploads, use a directory not accessible from the web, or rename files to something unpredictable.

Conclusion

CVE-2022-43061 makes it extremely easy for hackers to take over a vulnerable Online Tours & Travels Management System. Always sanitize uploads, check the file type, and restrict file execution to keep your site safe. Patch your software now, and tell others who use this app!


Read official references:  
- CVE-2022-43061 on NVD  
- Exploit-DB 51085  
- Vendor page *(archived)*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:58:00 UTC