Bdtask Flight Booking Software Unrestricted File Upload Vulnerability in Package Information Module

A vulnerability allowing unrestricted file upload has been identified in Bdtask Flight Booking Software versions prior to 3.1. This issue resides within the Package Information Module, specifically in the B2C portal, where the file upload feature for travel packages lacks proper validation. As a result, authenticated users can upload executable scripts, such as PHP web shells, which are then saved to a web-accessible directory and can be executed remotely.

Impact

Exploitation of this vulnerability allows authenticated users to upload malicious files that can be executed on the server, leading to remote code execution. This could result in a full server compromise, unauthorized access to the application database, website defacement, and potential attacks on other systems within the internal network.

Reproduction

To reproduce this vulnerability, log into the B2C portal and navigate to the 'Manage Package' section. Create a new package or edit an existing one, and upload a malicious PHP file through the 'Image' upload field, which lacks proper validation. After saving the package, view its public page, where the uploaded file will appear as a broken image. Clicking on this image will execute the PHP script, providing a web shell access.

Remediation

It is recommended to implement server-side validation for file uploads, allowing only safe file types such as standard image formats. Additionally, uploaded files should be processed with image libraries to ensure they are genuine images, stored outside the webroot, and renamed to prevent direct access.