You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
Line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');
As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.
<?php if (isset($files_list))
foreach ($files_list as $file) { $ext = File::ext($file);
?>
<?php if (! in_array(strtolower($ext), $forbidden_types)) {
$dimension = '';
The text was updated successfully, but these errors were encountered:
security-prince
changed the title
Patch for Remote Command Execution Vulnerability
Recommended Patch for Remote Command Execution Vulnerability
Nov 22, 2017
Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
Line 19:
public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');
As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.
This issue can be patched by converting the
$ext
into lowercaseThis can be done by replacing the below code from the code on line 113,114 and 115 of the index.view.php in https://github.com/monstra-cms/monstra/blob/8c318cdd033a9152a7fba591b37d6739d0c27fce/plugins/box/filesmanager/views/backend/index.view.php:
The text was updated successfully, but these errors were encountered: