CVE-2022-44276

Vulnerability

In Responsive Filemanager versions before 9.12.0, the fix_filename function in upload.php uses strip_tags which removes content within angle brackets. An attacker can upload a file named shell.php<.txt, which becomes shell.php after stripping, bypassing the file extension check. However, the upload also checks file content via MIME type detection in get_extension_from_mime based on the first few bytes. By prepending several 'a' characters, the MIME detection identifies the file as text/plain, allowing the PHP shell to be uploaded despite the content type check [1].

Exploitation

An attacker needs network access to the Responsive Filemanager instance and the ability to upload files. The exploitation involves intercepting the upload request (e.g., with Burp Suite), changing the filename to shell.php<.txt, and ensuring the file content starts with multiple 'a' characters followed by PHP code, such as <?php system($_GET['c']);?>. After upload, the attacker accesses url/source/shell.php?c= to execute arbitrary commands [1].

Impact

Successful exploitation results in remote code execution (RCE) on the server with the privileges of the web server user. This allows the attacker to execute system commands, potentially leading to full compromise of the application and server.

Mitigation

The vulnerability is fixed in Responsive Filemanager version 9.12.0. Users should upgrade to this version or later. No workarounds are provided in the available references [1].