Skip to content

Recommended Patch for Remote Command Execution Vulnerability #426

Open
@security-prince

Description

@security-prince

Hi @Awilum
Kindly blacklist extensions all uppercase or a combination of uppercase and lowercase (pHP,Php) also in https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
Line 19:
public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');

As you can see in the above code, only the lowercase extensions are blacklisted, however, some of these executables can be executed even with extension names in uppercase or a combination of both uppercase and lowercase.

This issue can be patched by converting the $ext into lowercase
This can be done by replacing the below code from the code on line 113,114 and 115 of the index.view.php in https://github.com/monstra-cms/monstra/blob/8c318cdd033a9152a7fba591b37d6739d0c27fce/plugins/box/filesmanager/views/backend/index.view.php:

<?php if (isset($files_list))
        foreach ($files_list as $file) { $ext = File::ext($file); 
?>
      <?php if (! in_array(strtolower($ext), $forbidden_types)) {

     $dimension = '';

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions