CVE-2022-40721

Vulnerability

The php-uploader library by CreativeDream allows unauthenticated arbitrary file upload to the web root directory. The vulnerability resides in the examples/upload.php script, which does not validate file type or restrict upload paths. Any file, including executable scripts such as .php files, can be uploaded. No specific version is mentioned in the available references, but the codebase is hosted at [1][2][3].

Exploitation

An attacker can send a crafted HTTP POST request to the examples/upload.php endpoint using multipart/form-data. The exploit is demonstrated via a simple curl command: curl -vk http://localhost/php-uploader/examples/upload.php -F "files=@shell.php". No authentication is required, and the attacker only needs network access to the vulnerable endpoint. The uploaded file is placed directly into the web root, making it immediately accessible via a browser [1][3].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server by accessing the uploaded shell script, leading to full remote code execution (RCE) with the privileges of the web server. This results in complete compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

As of the advisory date (2022-09-08) and the publication date (2022-10-03), no official patch or fixed version has been released. The vendor was notified in 2020 but no response is indicated. Immediate workarounds include removing or restricting access to the examples/upload.php file, implementing server-side file type validation, and moving the upload directory outside the web root. Users should monitor the GitHub repository for future updates [1][2][3].