Security Issue - Vulnerability in CFM module

simogeo / Filemanager

An open-source file manager released under MIT license. Up-to-date for PHP connector. This package is DEPRECATED. Now, please use RichFileManager available at : https://github.com/servocoder/RichFilemanager.

938 stars 351 forks source link

Security Issue - Vulnerability in CFM module #547

Closed Bl0ckbuster closed 6 years ago

Bl0ckbuster commented 6 years ago

Hi @simogeo, I'd like to privately discuss a vulnerability I discovered in the Filemanager code on a recent pentest, however, I don't find any way to communicate other than through here.

I realize that this project is not being actively updated, but I would like to discuss this further with you if possible before disclosure. Is there a better way to discuss this with you?

Thanks! Aaron

psolom commented 6 years ago

Take a look at https://github.com/servocoder/RichFilemanager This was started as a fork of this package and has been сcompletely reworked afterwards. If you will find that the issue is still there you can create a PR to fix it.

simogeo commented 6 years ago

Hi @Bl0ckbuster : thanks for your message. Actually, I'm not the CFM dev. Looking at code source file I can see the author and email address: James Gibson <james.gibson (at) liquifusion (dot) com>

Just know that Filemanager is not maintained anymore.

Bl0ckbuster commented 6 years ago

Thanks guys! I'll try to get in touch with James, and get the vuln written up. Being that this is a CFM module, I don't see it in the Richfilemanager, so I don't think it affects the new version.