CVE-2022-44401 - Online Tours & Travels Management System v1. Arbitrary File Upload Vulnerability

Online Tours & Travels Management System v1. (OTTMS) is a web application that allows users to manage their travel bookings and services. It is a popular solution for small to medium-sized travel agencies. However, a critical security vulnerability has been identified in the application's file upload feature, allowing attackers to upload arbitrary files to the server, potentially leading to remote code execution.

This post provides an in-depth analysis of the vulnerability (CVE-2022-44401), including code snippets, original references, and details about the exploit.

Description of the Vulnerability

In OTTMS v1., there is a file upload feature in the admin panel (/tour/admin/file.php) that allows authorized users to upload files to the server. However, due to improper validation of user input and file types, an attacker with access to the admin panel can upload arbitrary files, including scripts and executables, that can be executed on the server.

This vulnerability allows attackers to compromise the server and potentially perform remote code execution, leading to a complete takeover of the affected system. It has been assigned the CVE-ID CVE-2022-44401.

Original research and documentation of this vulnerability can be found in the following links

- CVE-2022-44401 - National Vulnerability Database (NVD)

- Online Tours & Travels Management System v1. - Arbitrary File Upload

The vulnerable code is found in /tour/admin/file.php

if (isset($_POST['submit'])) {
    $path = "../images/";
    $file_name = $_FILES['file']['name'];
    $file_tmp_name = $_FILES['file']['tmp_name'];
    $file_size = $_FILES['file']['size'];

    move_uploaded_file($file_tmp_name, $path.$file_name);
}

As we can see, there is no validation of the uploaded file's type or content. When a user uploads a file, the code simply moves it to the "images" directory without any further checks.

Exploit Details

To exploit this vulnerability, an attacker needs access to the admin panel of the affected application. The attacker can then create a malicious script (e.g., PHP, Python, or JavaScript) that, when executed, can compromise the server.

Here is a sample PHP payload that an attacker may upload

<?php
  // Execute a command on the server
  system($_GET['cmd']);
?>

After uploading this file to the server, the attacker can execute arbitrary commands by accessing the uploaded file using a URL similar to this:

http://<target>/tour/images/malicious.php?cmd=<command>;

This would execute the specified command on the server, potentially leading to a full system compromise.

Mitigation

To prevent exploitation, it is recommended to apply proper input validation and file type restriction on the file upload feature. Ideally, the file upload feature should only allow specific file types, such as images. Additionally, uploaded files should be sanitized to ensure they do not contain malicious content.

Final Thoughts

This vulnerability is a stark reminder that even seemingly innocuous features like file uploads can have severe security consequences if not implemented securely. Developers must remain vigilant and adhere to best practices in order to minimize the risk of such vulnerabilities. Patching and updating software should also be a priority for system administrators.

Further research into the Online Tours & Travels Management System's codebase may reveal additional security vulnerabilities. Therefore, it is important that users stay informed and apply patches and updates promptly to protect their systems.

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 11/28/2022 19:15:00 UTC