CVE-2022-30408

Vulnerability

Covid-19 Travel Pass Management System v1.0 is vulnerable to arbitrary file deletion through the delete_img function in /ctpms/classes/Master.php. The affected code path accepts a user-supplied path parameter without proper validation, enabling an attacker to delete any file on the server that the web server process can access. The vulnerability is present in the version published by SourceCodester [1].

Exploitation

An attacker can exploit this by sending a POST request to /ctpms/classes/Master.php?f=delete_img with a URL-encoded file path in the request body. The provided reference shows a successful exploit using path=C%3A%5Cxampp%5Chtdocs%5Cctpms%5Cshell.php to delete a file named shell.php. No authentication is required; the vulnerability is accessible to anyone who can reach the web endpoint [1].

Impact

Successful exploitation allows the attacker to delete arbitrary files, including web application files, configuration files, or uploaded content. This can lead to denial of service, defacement, or removal of critical application data. The severity is high as it requires no privileged access [1].

Mitigation

As of the publication date (May 13, 2022), no official patch has been released. The vendor, SourceCodester, has not provided a fix or advisory. Users are advised to restrict access to the delete_img endpoint via web server configuration (e.g., .htaccess rules) or implement input validation and authentication checks. The PHP file Master.php should be reviewed and the delete_img function hardened or removed if not needed [1].