CVE-2022-30819

Vulnerability

Wedding Management System v1.0 by codeastro.com contains an arbitrary file upload vulnerability in the photos_edit.php file, located in the /admin directory. The vulnerability occurs in the Gallery module's edit functionality, accessed via a POST request to /admin/photos_edit.php?id=37. The application does not validate or restrict the uploaded file type, allowing an attacker to upload a PHP shell (e.g., shell.php) as the image parameter. The uploaded file is stored in the /admin/upload/gallery/ directory [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the vulnerable endpoint without requiring authentication. The request includes a multipart form with the file parameter containing a malicious PHP file. The attacker must have network access to the target server. A sample proof-of-concept request is provided in the reference [1], which demonstrates uploading a PHP file that executes phpinfo() to verify code execution.

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full remote code execution (RCE). This can result in complete compromise of the web application and the underlying server, including data theft, file modification, and further lateral movement within the network [1].

Mitigation

As of the publication date (May 31, 2022), no official patch has been released by the vendor. Users are advised to contact the vendor for updates or to implement input validation and file type restrictions on the file upload functionality. Consider disabling the vulnerable endpoint or restricting access to the /admin directory until a fix is available [1].