$_FILES['file']['name'] in the Upload file module does not check whether the file extension is case,Vulnerability file:/plugins/box/filesmanager/filesmanager.admin.php
// Upload file
// -------------------------------------
if (Request::post('upload_file')) {
if (Security::check(Request::post('csrf'))) {
$error = false;
if ($_FILES['file']) {
if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
$filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
$uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
if ($uploaded !== false && is_file($filepath)) {
Notification::set('success', __('File was uploaded', 'filesmanager'));
} else {
$error = 'File was not uploaded';
}
} else {
$error = 'Forbidden file type';
}
} else {
$error = 'File was not uploaded';
}
if ($error) {
Notification::set('error', __($error, 'filesmanager'));
}
if (Request::post('dragndrop')) {
Request::shutdown();
} else {
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
}
} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Repair suggestions
Add case verification at $_FILES['file']['name'], as follows:
// Upload file
// -------------------------------------
if (Request::post('upload_file')) {
if (Security::check(Request::post('csrf'))) {
$error = false;
if ($_FILES['file']) {
$_FILES['file']['name']=strtolower($_FILES['file']['name']); //Change uppercase to lowercase
if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
$filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
$uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
if ($uploaded !== false && is_file($filepath)) {
Notification::set('success', __('File was uploaded', 'filesmanager'));
} else {
$error = 'File was not uploaded';
}
} else {
$error = 'Forbidden file type';
}
} else {
$error = 'File was not uploaded';
}
if ($error) {
Notification::set('error', __($error, 'filesmanager'));
}
if (Request::post('dragndrop')) {
Request::shutdown();
} else {
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
}
} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Brief of this vulnerability
The Monstra 3.0.4 source code does not filter the case of php, which leads to an unrestricted file upload vulnerability.
Test Environment
Affect version
POC
Execute successfully
Reason of This Vulnerability
$_FILES['file']['name']
in theUpload file module
does not check whether the file extension is case,Vulnerability file:/plugins/box/filesmanager/filesmanager.admin.php
Repair suggestions
Add case verification at $_FILES['file']['name'], as follows: