Bdtask Flight Booking Software Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability has been identified in Bdtask Flight Booking Software version 4, specifically within the B2B portal. The issue arises on the Edit Profile Page, where multiple image upload fields fail to implement proper server-side validation. This flaw allows authenticated users to upload executable files, such as PHP web shells, disguised as images. Once uploaded, these files are stored in a web-accessible directory, where they can be executed by accessing their URL, leading to remote code execution and a complete compromise of the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, leading to a full server compromise. This could result in unauthorized access to the application database, including sensitive customer information and payment records. Additionally, the compromised server could be used to attack other internal systems.

Reproduction

To reproduce this vulnerability, log into the Bdtask B2B portal and navigate to the Agent Profile Edit page. Upload a PHP script disguised as an image through one of the vulnerable image upload fields, such as the Owner image or Trade licence copy. After submitting the form, locate the uploaded file via its storage path or profile page. Access the file's URL and execute a command by appending a query parameter, confirming the successful execution of the uploaded script.

Remediation

It is recommended to implement proper server-side validation of uploaded files, enforcing a strict whitelist of allowed file types. Additionally, uploaded files should be stored outside of the webroot and accessed through secure scripts to prevent direct execution. Renaming uploaded files to non-executable names before storage can also mitigate the risk.