Recommended Patch for Remote Command Execution Vulnerability

[security-prince]

Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php Line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');

As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.

This issue can be patched by converting the $ext into lowercase This can be done by replacing the below code from the code on line 113,114 and 115 of the index.view.php in https://github.com/monstra-cms/monstra/blob/8c318cdd033a9152a7fba591b37d6739d0c27fce/plugins/box/filesmanager/views/backend/index.view.php:

<?php if (isset($files_list))
        foreach ($files_list as $file) { $ext = File::ext($file); 
?>
      <?php if (! in_array(strtolower($ext), $forbidden_types)) {

     $dimension = '';

[security-prince]

Hi @Awilum , I have disclosed the vulnerability Pease check: https://blogs.securiteam.com/index.php/archives/3559