Bdtask Flight Booking Software Unrestricted File Upload Vulnerability in Deposit Handler

A critical vulnerability allowing unrestricted file uploads has been identified in Bdtask Flight Booking Software versions through 3.1. This issue resides in the Deposit Handler component, specifically within the file '/admin/transaction/deposit'. The vulnerability allows authenticated users to upload malicious files, such as PHP web shells, which can then be executed on the server. The flaw can be exploited remotely, and the vendor has not responded to disclosure attempts.

Impact

Exploitation of this vulnerability could lead to remote code execution on the server, allowing attackers to execute arbitrary commands with the same privileges as the web server user. This could result in a full server compromise, unauthorized access to the application database, website defacement, and potential lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, log into the Bdtask B2B portal and navigate to 'Transaction -> Deposit'. Upload a malicious PHP file through the 'Document' upload field, which lacks proper server-side validation. Once the file is uploaded, it will appear in the 'Pending Transactions' section. Access the uploaded file via its URL to execute the embedded commands, confirming successful exploitation.

Remediation

It is recommended to implement server-side validation of file uploads by enforcing a strict whitelist of allowed file extensions and MIME types. Uploaded files should be stored outside of the webroot and accessed through a secure script to prevent direct execution. Additionally, renaming uploaded files to non-executable names can help mitigate the risk.