CVE-2021-45010:
Path traversal vulnerability in Tiny File Manager before 2.4.7 allows authenticated remote attackers to upload malicious PHP files to execute arbitrary code.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Mar 15, 2022
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:72.4
- EPSS Percentile:99%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Path traversal vulnerability in Tiny File Manager before 2.4.7 allows authenticated remote attackers to upload malicious PHP files to execute arbitrary code.
Overview
Tiny File Manager is a web-based file management tool written in PHP. The vulnerability allows authenticated users to bypass intended directory restrictions during file uploads by using path traversal sequences. By manipulating the upload path, attackers can place malicious PHP files in the webroot directory, which can then be accessed via the web server to execute arbitrary code with the privileges of the web server process. This vulnerability is particularly dangerous because it allows complete compromise of the affected system after authentication. Multiple public exploits are available that demonstrate how to leverage this vulnerability to achieve remote code execution.
Remediation
- 1. Update Tiny File Manager to version 2.4.7 or later which contains the security patch.
- 2. If immediate updating is not possible, implement the following temporary mitigations:
- Restrict access to the Tiny File Manager interface to trusted IP addresses only
- Implement additional access controls at the web server level
- Monitor for suspicious file upload activities and unauthorized access attempts
- 3. Review the security patch in GitHub commit 2046bbde72ed76af0cfdcae082de629bcc4b44c7 to understand the fix if you need to implement a custom solution.
- 4. Verify that proper input validation is implemented for all file operations in your environment.
- 5. Consider implementing a web application firewall (WAF) to help detect and block path traversal attempts.
References
- 1. Vulnerability details and exploit: http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html
- 2. Technical analysis: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/
- 3. Security patch: https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7
- 4. Pull request with fix: https://github.com/prasathmani/tinyfilemanager/pull/636
- 5. Exploit code: https://github.com/febinrev/tinyfilemanager-2.4.6-exploit/raw/main/exploit.sh
- 6. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - https://cwe.mitre.org/data/definitions/22.html
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
