Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
Line 19:
public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');
As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.
Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php Line 19:
public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');
As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.
This issue can be patched by converting the
$ext
into lowercase This can be done by replacing the below code from the code on line 113,114 and 115 of the index.view.php in https://github.com/monstra-cms/monstra/blob/8c318cdd033a9152a7fba591b37d6739d0c27fce/plugins/box/filesmanager/views/backend/index.view.php: