Tiny File Manager 2.4.8 - Remote Command Execution
10
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Tiny File Manager 2.4.8 - RCE
Code name
State
Public
Release date
Nov 21, 2022
Affected product
Tiny File Manager
Affected version(s)
Version 2.6.3
Vulnerability name
Remote command execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
10.0
Exploit available
Yes
CVE ID(s)
Description
Version 2.4.8 of Tiny File Manager allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
Vulnerability
This vulnerability occurs because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
Exploitation
To exploit this vulnerability, the following file must be sent to the server as administrator (to achieve this I will abuse the CSRF present in the application).
exploit.php
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-23044, the CVE-2022-45475, the CVE-2022-45476 to refer to this issue from now on. Disclosure policy
System Information
Version: Tiny File Manager 2.4.8
Operating System: GNU/Linux
Mitigation
An updated version of Tiny File Manager is available at the vendor page.
References
Timeline
Vulnerability discovered
Nov 17, 2022
Vendor Confirmed Vuln.
Nov 17, 2022
Vendor contacted
Nov 17, 2022
Vendor replied
Nov 17, 2022
Public disclosure
Nov 21, 2022
