CVE-2022-46604

Vulnerability

An issue in Tecrail Responsive FileManager versions 9.9.5 and below allows attackers to bypass the file extension check mechanism during file upload. The vulnerability resides in the execute.php file [1], where the upload logic fails to properly validate the file extension, enabling the upload of a crafted PHP file. This affects all installations using the vulnerable version of the file manager.

Exploitation

An attacker with access to the file upload functionality can craft a PHP file with a disguised extension (e.g., .php.jpg or similar) that bypasses the extension check. The attacker then uploads this file through the standard upload interface. No authentication is required if the file manager is publicly accessible, though the attack can also be performed by authenticated users. The uploaded file is stored on the server and can be accessed via a web request to trigger execution.

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution on the server with the privileges of the web server process. This can lead to full compromise of the application and underlying system, including data theft, defacement, or further lateral movement within the network.

Mitigation

The vulnerability is fixed in version 9.9.6, as indicated by the changelog [2]. Users should upgrade to version 9.9.6 or later immediately. The repository has been archived and is no longer maintained, so no further patches are expected. If upgrading is not possible, consider restricting access to the file upload functionality or implementing additional server-side validation as a workaround.