CVE-2022-31342 in Online Car Wash Booking System
Summary
by MITRE • 06/02/2022
Online Car Wash Booking System v1.0 is vulnerable to Delete any file via /ocwbs/classes/Master.php?f=delete_img.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/18/2026
The Online Car Wash Booking System v1.0 contains a critical file deletion vulnerability that allows unauthorized users to remove arbitrary files from the server filesystem through a malicious request to the Master.php endpoint. This vulnerability exists in the file deletion functionality where the application fails to properly validate or sanitize user input before executing file operations. The specific attack vector involves sending a request to the /ocwbs/classes/Master.php?f=delete_img endpoint with crafted parameters that can target any file path accessible to the web application's process.
This vulnerability represents a classic path traversal and arbitrary file deletion flaw that can be exploited to compromise the entire system. The application does not implement proper access controls or input validation mechanisms to prevent users from specifying arbitrary file paths for deletion. Attackers can leverage this weakness to remove critical system files, configuration files, database files, or even the application's own source code files, potentially leading to complete system compromise. The vulnerability falls under CWE-22 Path Traversal and CWE-77 Path Traversal which are well-documented weaknesses in file system access controls. From an operational perspective, this vulnerability can be exploited by attackers at the application layer without requiring elevated privileges or system-level access.
The impact of this vulnerability extends beyond simple file deletion as it can facilitate more sophisticated attacks such as remote code execution through the deletion of system components or the replacement of critical files. An attacker who successfully exploits this vulnerability can potentially disrupt service availability, escalate privileges, or create backdoors within the system. The attack can be executed through simple http requests and does not require specialized tools or deep technical knowledge. This makes the vulnerability particularly dangerous as it can be exploited by attackers with minimal skill levels. The weakness aligns with ATT&CK technique T1486 Data Encrypted for Ransomware which could be leveraged in ransomware attacks, and T1078 Valid Accounts which could be used to maintain persistence after initial compromise.
Mitigation strategies should include immediate implementation of proper input validation and sanitization for all file operations within the application. The system should enforce strict access controls and implement whitelisting mechanisms for file paths that can be operated upon. All user-supplied input should be validated against a known good set of acceptable values, and the application should use secure file handling practices that prevent path traversal attacks. Additionally, the application should implement proper authentication and authorization checks to ensure only authorized users can access file deletion functions. The system should also employ principle of least privilege where the web application runs with minimal necessary permissions and cannot delete critical system files. Regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities throughout the application codebase.