File Upload Vulnerability in the file handling module of the simple and clear flat file content management system (Flatfile-CMS) moziloCMS v2.0 allows an attacker to bypass extension restrictions through file renaming. This vulnerability potentially leading to unauthorized file execution or storage of malicious content.
After loging in to the user account one can see the files tab on the navigation bar.
The application restricts file uploads to disallow file types that are configured in the moziloAdmin panel.
The application enforces restrictions on file uploads based on the extensions not allowed by the configuration in the moziloAdmin panel. However, it does not adequately verify file types after upload, allowing an attacker to bypass the extension check by simply changing the filename after the upload process.
if(ACTION == "files") {
global $ADMIN_CONF;
if(strlen($ADMIN_CONF->get("noupload")) > 0) {
$acceptfiletypes = ".".str_replace("%2C","%2C.",$ADMIN_CONF->get("noupload"));
$acceptfiletypes = explode("%2C",$acceptfiletypes);
} else
$acceptfiletypes = array();
if(in_array(strtolower(substr($file->name,(strrpos($file->name,".")))),$acceptfiletypes))
return 'acceptFileTypes';
} else {
if(!in_array(strtolower(substr($file->name,(strrpos($file->name,".")))),$acceptfiletypes))
return 'acceptFileTypes';
The application applies extension checks during the upload process, but fails to implement the same checks during file renaming, thereby enabling an attacker to bypass extension restrictions by renaming the uploaded file.
if(false !== ($newfile = getRequestValue('newfile','post',false))
and false !== ($orgfile = getRequestValue('orgfile','post'))
and false !== ($curent_dir = getRequestValue('curent_dir','post'))) {
$dir = CONTENT_DIR_REL.$curent_dir."/".CONTENT_FILES_DIR_NAME."/";
if(true !== ($error = moveFileDir($dir.$orgfile,$dir.$newfile,true))) {
ajax_return("error",true,$error,true,"js-dialog-reload");
}
ajax_return("success",true);
}