CVE-2020-22550

An attacker sends a POST request to `/filemanager/vfm-admin/ajax/zip.php` with a base64-encoded `filesarray` parameter containing directory traversal sequences (e.g., `../../../../../../etc/passwd`), along with valid `time` and `dash` values [ref_id=1]. The server compresses the traversed file into a ZIP archive and returns a download link. The attacker then fetches the ZIP via a GET request and extracts the file contents [ref_id=1]. No authentication is required beyond knowing the `time` and `dash` parameters.

The vulnerable endpoint is `/filemanager/vfm-admin/ajax/zip.php` in Veno File Manager 3.5.6 [ref_id=1]. The `filesarray` parameter accepts a base64-encoded file path that is not sanitized for directory traversal sequences.

The advisory does not include a patch or official remediation. The researcher's PoC demonstrates that the application fails to validate or sanitize the `filesarray` parameter for path traversal sequences before passing it to the ZIP compression routine [ref_id=1]. A proper fix would reject any file path containing `../` sequences or resolve the path against an allowed base directory before processing.

Run the PoC script with `--hostname <target> --dash <dash_value> --time <time_value>`, then enter a file path like `../../../../../../etc/passwd` when prompted [ref_id=1]. The script base64-encodes the path, sends it to `/filemanager/vfm-admin/ajax/zip.php`, downloads the resulting ZIP, and prints the file contents.