CVE-2021-36622
📋 TL;DR
CVE-2021-36622 allows unauthenticated attackers to upload malicious PHP files disguised as images to the admin panel of Sourcecodester Online Covid Vaccination Scheduler System 1.0. This leads to remote code execution by accessing the uploaded file. All systems running this vulnerable version are affected.
💻 Affected Systems
- Sourcecodester Online Covid Vaccination Scheduler System
📦 What is this software?
Online Covid Vaccination Scheduler System by Online Covid Vaccination Scheduler System Project
View all CVEs affecting Online Covid Vaccination Scheduler System →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, accessing sensitive vaccination data, and using the server as a pivot point for further attacks.
Likely Case
Webshell deployment leading to data theft, defacement, or ransomware deployment on the vaccination scheduling system.
If Mitigated
Attack prevented at the web application firewall level with file upload restrictions blocking PHP files.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check vendor website for updated version
2. If no patch available, implement workarounds
3. Consider replacing with alternative software
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server to block PHP file uploads and only allow legitimate image formats
# Apache: Add to .htaccess
<FilesMatch "\.(php|php3|php4|php5|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.php$ {
deny all;
}
Implement file type validation
allAdd server-side validation to check actual file content, not just Content-Type header
# PHP example
$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
if (!in_array($mime, $allowed_types)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Remove or disable the vulnerable upload functionality entirely
- Implement strict network segmentation and isolate the vulnerable system
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PHP file with image/png Content-Type header to /scheduler/admin/?page=user endpoint and verify if it's acceptedCheck Version:
Check application files for version information, typically in README or configuration filesVerify Fix Applied:
Attempt the same upload after implementing fixes - PHP files should be rejected regardless of Content-Type header📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to admin panel
- PHP file uploads with image MIME types
- Access to uploaded PHP files in upload directories
Network Indicators:
- POST requests to upload endpoints with PHP content
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_logs" (url="*/scheduler/admin/*" AND method="POST" AND (file_extension="php" OR content_type="image/*"))