PT-2022-25541 · Unknown · Roxy Fileman
Hadi Mene
·
Published
2022-11-09
·
Updated
2025-05-01
·
CVE-2022-40797
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Roxy Fileman version 1.4.6
Description
The issue allows Remote Code Execution via a .phar upload. This is because the default FORBIDDEN UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. In some web-server configurations, visiting any .phar file invokes the PHP interpreter.
Recommendations
For Roxy Fileman version 1.4.6, consider updating the FORBIDDEN UPLOADS value in conf.json to include .phar files to prevent Remote Code Execution via .phar uploads. As a temporary workaround, restrict access to .phar files to minimize the risk of exploitation.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Roxy Fileman