Login Sign Up

CVE-2022-32328

9.1 CRITICAL
Path Traversal

📋 TL;DR

Fast Food Ordering System v1.0 contains an arbitrary file deletion vulnerability in the Master.php component. Attackers can delete any file on the server by exploiting the delete_img parameter, potentially causing system disruption or data loss. This affects all deployments of Fast Food Ordering System v1.0.

💻 Affected Systems

Products:
  • Fast Food Ordering System
Versions: v1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Fast Food Ordering System by Fast Food Ordering System Project

View all CVEs affecting Fast Food Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to OS corruption, data destruction, and permanent system unavailability.

🟠

Likely Case

Deletion of application files, configuration files, or user data causing service disruption, data loss, and potential privilege escalation.

🟢

If Mitigated

Limited impact if proper file permissions and web server sandboxing prevent deletion of critical files outside the web root.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request with file path parameter. No authentication required. Public exploit details available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Web Server Access Restriction

all

Block access to the vulnerable endpoint using web server configuration

# Apache: <Location "/ffos/classes/Master.php">
#   Order deny,allow
#   Deny from all
# </Location>
# Nginx: location ~ /ffos/classes/Master.php { deny all; }

File Permission Hardening

linux

Set restrictive permissions on critical system directories

chmod 755 /var/www
chmod 644 /var/www/html/*.php
chown root:www-data /var/www

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block requests containing file deletion patterns
  • Deploy file integrity monitoring to detect unauthorized file deletions

🔍 How to Verify

Check if Vulnerable:

Test by sending GET request to /ffos/classes/Master.php?f=delete_img&id=../../test.txt with a test file

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Verify the endpoint is no longer accessible or properly validates file paths

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /ffos/classes/Master.php with delete_img parameter
  • File deletion events in system logs

Network Indicators:

  • GET requests with path traversal patterns in delete_img parameter

SIEM Query:

source="web_access.log" AND uri="/ffos/classes/Master.php" AND query="*delete_img*"

📊 Metadata

CVE ID: CVE-2022-32328
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-22
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32328, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)