Unauthenticated RCE in QloApps

[mr7s3d0]

Hi team,
I am writing to responsibly disclose a critical security vulnerability that I identified in QloApps versions 1.7.0 and earlier during security research.

The vulnerability exists in the hotel review file upload functionality and allows an unauthenticated remote attacker to upload and execute arbitrary files on the server, resulting in remote code execution (RCE) and complete system compromise.

If you require additional information or a proof of concept to verify this issue, I would be happy to provide it securely.

Note: I already reported this issue to [support@qloapps.com] two week ago but have not yet got a reply.

If you need additional information, you can email to me via: neakkpornlur@gmail.com

Thanks

[AradhanaSingh63]

Hi @mr7s3d0,

Thank you for reporting this issue.

We are reviewing this.

[mr7s3d0]

Hi @AradhanaSingh63,

Just a quick follow-up on this issue. I wanted to check if there are any updates or if you need additional details from my side.

Thanks again for your time and for reviewing this.

[AradhanaSingh63]

Hi @mr7s3d0,

We searched for the ticket you mentioned, but we were unable to find it. Kindly create a new ticket and include the link to the previous ticket so that we can link both tickets together.

Further discussion regarding this issue will continue in the newly created ticket.

[mr7s3d0]

Hi @AradhanaSingh63,

I reviewed my email again and I think it not reach your team because it contain many of my POC code. now I was sent it again and can get the ticket ID. I also worked with your team in chat support.

thanks.

[AradhanaSingh63]

Hi @mr7s3d0,

Kindly share the ticket ID so we can directly connect it and proceed with the discussion through that ticket.

[mr7s3d0]

Hi @AradhanaSingh63,

Here is the ticket ID: #657258.

[AradhanaSingh63]

Hi @mr7s3d0,

Thanks for providing the ticket ID. We will update you on the ticket

[mr7s3d0]

Hi @AradhanaSingh63

For clarification and tracking: By working with the security team on the ticket has confirmed that they are aware of this issue and that a fix is already present in their codebase and will be included in the next official release.

I’m coordinating responsibly and will wait for the patched version to be publicly released.

Thanks.

[AradhanaSingh63]

Okay, this issue will be fixed when the next version is released.

[maurerle]

Hi @AradhanaSingh63 which mitigation steps do exist in the mean time here?
Is disabling the hotel review file upload enough?

Can you share instructions in the mean time?

[mr7s3d0]

Hi @maurerle, you no need to disabling the hotel review file upload, you can fixed this security bug by just change the saveReviewImages() function on file /modules/qlohotelreview/classes/QhrHotelReview.php to this code:

public function saveReviewImages()
    {
        $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];

        $files = QhrHotelReviewHelper::fileAttachmentMultiple('images');
        if (is_array($files) && count($files)) {
            foreach ($files as $key => $file) {
                $ext = strtolower(pathinfo($file['rename'], PATHINFO_EXTENSION));
                if (!in_array($ext, $allowedExtensions, true)) {
                    continue; // Reject dangerous extensions
                }
                $dir = _PS_MODULE_DIR_.'qlohotelreview/views/img/review/'.Image::getImgFolderStatic($this->id);
                QhrHotelReviewHelper::createDirectory($dir);
                $useSameExt = false;
                if ($useSameExt) {
                    $imgPath = $dir.($key + 1).'.jpg';
                } else {
                    $imgPath = $dir.($key + 1).'.'.$ext;
                }
                ImageManager::resize($file['tmp_name'], $imgPath);
            }
        }
    }

Above code will prevent attacker from uploading dangerous file extensions.

Optional but Recommend:

Disable PHP code execution on file uploaded directory following rule:
Apache

<Directory "/modules/qlohotelreview/views/img/">
    php_admin_flag engine off
</Directory>

Nginx

location ~* /modules/qlohotelreview/views/img/ {
    deny all;
}