Innoshop File Manager Code Execution Vulnerability

A code execution vulnerability has been identified in Innoshop versions through 0.4.1. An authenticated attacker can exploit this issue by using the File Manager functions in the admin panel. The attacker uploads a crafted file, then renames it to have a .php extension using the Rename Function. This process bypasses the initial restriction that only image files can be uploaded. The application relies on frontend checks to prevent administrators from changing file extensions to .php, but this restriction can be easily circumvented with a proxy tool like BurpSuite. Once the file is renamed, a GET request can be sent to execute the code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, log into the admin panel of an affected Innoshop version. Navigate to the File Manager and upload a file that is not an image. After the file is uploaded, use the Rename Function to change the file extension to .php. This action bypasses the frontend checks that restrict file extensions. Once the file is renamed, send a GET request to the server to execute the uploaded code.