CVE-2022-44384
Description
An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rConfig v3.9.6 allows an authenticated attacker to upload a crafted PHP file, leading to remote code execution via the device backup functionality.
Vulnerability
An arbitrary file upload vulnerability exists in rConfig v3.9.6 (and possibly earlier versions). The bug resides in the device backup functionality, where the application fails to properly validate the file type of uploaded files. An authenticated attacker can upload a file with a .php extension, which is then stored in a web-accessible directory and can be executed by the server [1].
Exploitation
To exploit this vulnerability, an attacker must have valid credentials for the rConfig web interface (i.e., the attacker must be authenticated). The exploit is carried out by sending a crafted HTTP POST request to the vulnerable endpoint, typically commands.inc.php, with the malicious PHP file included in the request payload. The file is saved to a path such as /home/rconfig/public_html/rconfig/commands/ and can then be accessed via a separate HTTP request to trigger execution [1].
Impact
Successful exploitation allows the attacker to achieve remote code execution on the underlying server with the privileges of the web server user (typically www-data). This enables full compromise of the rConfig application and, depending on server configuration, potential lateral movement within the network. The attacker can execute arbitrary system commands, read, write, or delete files, and install further malware [1].
Mitigation
As of the publication date of this CVE (2022-11-17), no official patch or updated version has been released by rConfig to address this vulnerability. Users are advised to restrict access to the rConfig web interface to trusted networks only and to implement strong authentication and file upload validation controls. The vulnerability is listed in the Exploit Database as EDB-ID 49783, indicating that exploit code is publicly available. Organizations should consider upgrading to a secure alternative if rConfig does not provide a fix [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- rconfig/rconfigdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file type validation in vendor logo upload allows arbitrary PHP file upload."
Attack vector
An authenticated attacker sends a POST request to `/lib/crud/vendors.crud.php` with a multipart form containing a `vendorLogo` file field [ref_id=1]. The payload is a PHP web shell disguised with `Content-Type: image/gif` and a `.php` extension. The uploaded file is stored under `/images/vendor/` and can be accessed directly to execute arbitrary OS commands via the `cmd` GET parameter [ref_id=1]. The attacker must first authenticate using valid credentials (default `admin/admin`) via `/lib/crud/userprocess.php` [ref_id=1].
Affected code
The vulnerable endpoint is `/lib/crud/vendors.crud.php`, which handles the `vendorLogo` file upload without validating the file extension or content type [ref_id=1]. The uploaded file is stored under `/images/vendor/` and made directly accessible via the web server [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance. To close this vulnerability, the application should validate uploaded file content against allowed MIME types, reject executable extensions (e.g., `.php`), and store uploads outside the web root or serve them with a non-executable Content-Disposition header.
Preconditions
- authAttacker must have valid rConfig credentials (default admin/admin)
- networkAttacker must reach the rConfig web interface over HTTPS on port 443
- inputAttacker must supply a multipart POST request with a .php file as vendorLogo
Reproduction
1. Authenticate: POST `https://<host>/lib/crud/userprocess.php` with `user=admin&pass=admin&sublogin=1`. 2. Upload shell: POST `https://<host>/lib/crud/vendors.crud.php` with multipart field `vendorLogo` containing a file named `banana.php` with content `<?php $cmd=$_GET['x'];system($cmd);?>`. 3. Execute: GET `https://<host>/images/vendor/x.php?cmd=<command>` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.