## https://sploitus.com/exploit?id=80C9C51D-B909-56C3-B614-337A1B2AD570
# CVE-2022-0482 Demo Repository
> :warning: **Disclaimer: This repository is solely for educational and research purposes. Unauthorized and malicious use is strictly prohibited. The authors will not be held responsible for any misuse or damage resulting from the deployment of any code or exploit provided herein.**
## Table of Contents
- [CVE-2022-0482 Demo Repository](#cve-2022-0482-demo-repository)
- [Table of Contents](#table-of-contents)
- [About the Vulnerability](#about-the-vulnerability)
- [Setup](#setup)
- [Development](#development)
- [Exploitation](#exploitation)
- [Prerequisites](#prerequisites)
- [Exploit](#exploit)
- [Mitigation](#mitigation)
- [Detection](#detection)
- [Nginx Access Logs](#nginx-access-logs)
- [Additional Resources](#additional-resources)
## About the Vulnerability
CVE-2022-0482 vulnerability is a critical information disclosure flaw affecting the GitHub repository alextselegidis/easyappointments prior to version 1.4.3.
> "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3."
>
> _Source: [NIST Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2022-0482)_
> "The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: `/index.php/backend_api/ajax_get_calendar_events`. Unfortunately, there is no authentication/permissions-check on that endpoint; the only required parameters in a POST request are 'startDate,' 'endDate,' and 'csrfToken.' Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query the backend API and obtain all sorts of private information about the appointment, in JSON format."
>
> _Source: [GitHub Advisory](https://github.com/advisories/GHSA-r6cm-wg48-rh2r)_
## Setup
To set up the vulnerable environment for demonstration, follow the steps below:
1. Clone this repository:
```bash
git clone https://github.com/OwlsNightCatch/CVE-2022-0482-demo.git
```
2. Navigate to the `easyappointments-1.4.2` directory:
```bash
cd CVE-2022-0482/target/easyappointments-1.4.2
```
3. Run Docker Compose:
```bash
docker compose up
```
Sometimes it hangs after the log line `easyappointments-142-php-fpm-1 | โ Install NPM Dependencies`. Just restart the container `easyappointments-142-php-fpm-1`.
Wait until following log line appears:
```
2023-10-26 01:08:46 โ Listen To Incoming Requests
2023-10-26 01:08:46 [25-Oct-2023 17:08:46] NOTICE: fpm is running, pid 1387
2023-10-26 01:08:46 [25-Oct-2023 17:08:46] NOTICE: ready to handle connections
```
After running these steps, the vulnerable application should be up and running, accessible at `http://localhost`.
Complete the initial setup of the server on the webpage and add some appointments for customers.
### Development
This environment utilizes version 1.4.2 of [alextselegidis/easyappointments](https://github.com/alextselegidis/easyappointments). For specific customizations of the docker setup, consult [target/custom_changes/](target/custom_changes/). These have been taken by the develop branch of repo [alextselegidis/easyappointments develop](https://github.com/alextselegidis/easyappointments/tree/develop) with some custom adoption and bug fixes.
## Exploitation
> :warning: **Disclaimer:** The following exploitation methods are described for educational and research purposes only. Do not attempt to exploit any system you do not have explicit permission to test.
### Prerequisites
- Python 3.x
- `requests` library
### Exploit
Execute python script againts target: `python3 cve-2022-0482.py [-h] [--startDate STARTDATE] [--endDate ENDDATE] hostname`
```
usage: cve-2022-0482.py [-h] [--startDate STARTDATE] [--endDate ENDDATE] hostname
CVE-2022-0482 vulnerability is a critical information disclosure flaw affecting the GitHub repository
alextselegidis/easyappointments prior to version 1.4.3.
positional arguments:
hostname The hostname to which to exploit
options:
-h, --help show this help message and exit
--startDate STARTDATE
The start date for the calendar events in the form YYYY-MM-DD
--endDate ENDDATE The end date for the calendar events in the form YYYY-MM-DD
```
Start and end date have the form YYYY-MM-DD.
## Mitigation
Upgrade to alextselegidis/easyappointments version 1.4.3 or later to mitigate this vulnerability.
## Detection
Detecting an exploit attempt for CVE-2022-0482 can be done by monitoring logs of the affected service.
### Nginx Access Logs
These logs are typically located at `/var/log/nginx/access.log`. In this example they are located in the nginx docker container at `/var/log/nginx/application.access.log`.
Search these logs for access to `/index.php/backend_api/ajax_get_calendar_events` from unusual IPs.
```bash
grep "/index.php/backend_api/ajax_get_calendar_events" /var/log/nginx/application.access.log
```
## Additional Resources
- [NIST Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2022-0482)
- [GitHub Advisory](https://github.com/advisories/GHSA-r6cm-wg48-rh2r)
- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml)
- [Huntr Report](https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/)
- [Disocverer's Blog Post](https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/)