Tiny File Manager 2.4.8 - Remote Command Execution
10
Critical
Discovered by

Offensive Team, Fluid Attacks
Summary
Full name
Tiny File Manager 2.4.8 - RCE
Code name
State
Public
Release date
21 nov 2022
Affected product
Tiny File Manager
Affected version(s)
Version 2.6.3
Vulnerability name
Remote command execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
10.0
Exploit available
Yes
CVE ID(s)
Description
Version 2.4.8 of Tiny File Manager allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
Vulnerability
This vulnerability occurs because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
Exploitation
To exploit this vulnerability, the following file must be sent to the server as administrator (to achieve this I will abuse the CSRF present in the application).
exploit.php
Evidence of exploitation


Our security policy
We have reserved the CVE-2022-23044, the CVE-2022-45475, the CVE-2022-45476 to refer to this issue from now on. Disclosure policy
System Information
Version: Tiny File Manager 2.4.8
Operating System: GNU/Linux
Mitigation
An updated version of Tiny File Manager is available at the vendor page.
References
Timeline
IA generativa
17 nov 2022
Vendor Confirmed Vuln.
17 nov 2022
Vendor contacted
17 nov 2022
Vendor replied
17 nov 2022
Public disclosure
21 nov 2022