This is Febin, a security professional.
I used to pick random opensource software for my research, recently I took some web-based file management software as my research targets. There I found some popular web-based file managers, one of which was a software named “Tiny File Manager”. While poking around I was able to find an awesome vulnerability in the application that leads to code execution on the server. This article is going to be on that vulnerability.
September 16, 2021 — Contacted the developer and reported the vulnerability
September 17, 2021 — Developer replies back
September 20, 2021 — Developer verified the issue
September 26, 2021 — I patched the source code, fixed the RCE, and sent a pull request to the original repository.
November 12, 2021 — The developer merged the commit. The vulnerability has been fixed.
TinyFileManager is web-based file manager and it is a simple, fast, and small file manager with a single file, a multi-language ready web application for storing, uploading, editing, and managing files and folders online via the web browser. The Application runs on PHP 5.5+, It allows the creation of multiple users and each user can have its own directory and build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes.
Tiny File Manager is a php based software. This particular vulnerability is present in the tinyfilemanager.php script. When the user logs in to the application, he is allowed to upload, download, edit files and those file are stored in a specific directory which is been specified in “config.php”. The particular vulnerability that I have found allows the user to upload files beyond the specified directory by tampering the “fullpath” parameter and add a bunch of “../” in front of the actual filename thus leads to breaking out of the file root directory that is specified in config.php.
This can be exploited to place php web-shells inside the web root directory of Tiny File Manager and achieve RCE.
Proof Of Concept:
1. An Attacker who has admin credentials or admin access to “Tiny FIle manager” app can upload arbitrary files to the server via Path Traversal i.e, appending “../../../../../../../” to the “fullpath parameter in the upload feature.
2. If the attacker could get the full Web Root directory of the “Tiny File Manager” app, he could upload php files there to achieve RCE.
3. To get the full Webroot directory path, we can abuse a path disclosure vulnerability in the URL upload feature. When a random rubbish URL is given as input, it throws an error message that reveals the full Webroot directory path.
4. By combining these, we can achieve Command execution on the server.
I created an exploit script that automatically exploits the bug and get a shell:
👉 Replace “./” with “_” fixes the issue.