CVE-2022-30529

Vulnerability

A file upload vulnerability exists in the ISIC tour booking system as of its last commit on February 13, 2018. The files /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php do not properly validate uploaded files, allowing an attacker to upload arbitrary files to the server [1].

Exploitation

An attacker can directly upload arbitrary files via upload.php without authentication. According to [2], the exploit may also involve a multi-step process: first, obtain the admin username via information disclosure; then, bypass login using SQL injection (e.g., username=admin' union select 1,2,3,4,5,6,'0192023a7bbd73250516f069df18b500',8,9 limit 1,1#&password=admin123); finally, send a GET to dialog.php?type=0&editor=mce_0&field_id=selected_file followed by a POST to upload.php with a webshell.

Impact

Successful exploitation allows an attacker to upload a webshell, leading to remote code execution (RCE) on the server. This can result in full compromise of the application and potentially the underlying host, including data theft, further lateral movement, and denial of service.

Mitigation

No official patch has been released; the project is unmaintained. Mitigation includes removing or restricting access to the vulnerable scripts via web server configuration (e.g., .htaccess), applying a web application firewall (WAF) to block file uploads to these paths, and migrating to a maintained tour booking solution.