Laravel File Manager Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Laravel File Manager versions through 3.3.1. This issue allows authenticated attackers to execute arbitrary PHP code on the server by uploading a file with a permitted extension, such as .png or .pdf, that contains malicious PHP code. After the file is uploaded, the attacker can rename it to a .php extension and access it via a public URL to execute the embedded code. Alternatively, the 'Create File' function can be used to create a .php file, insert malicious code, and access it through a public URL.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server. This could lead to a full compromise of the web application and the host system, with critical risks associated with the confidentiality, integrity, and availability of the affected system.

Reproduction

To reproduce this vulnerability, authenticate with an account that has access to the file manager's upload or file creation features. Upload a file containing malicious PHP code through the file manager's interface or API, using an extension that is not executable, such as .png. After the upload, use the rename API or interface to change the file's extension to .php. Once renamed, the file can be accessed via a public URL, which will trigger the execution of the PHP payload. Alternatively, the 'Create File' function can be used to create a .php file, which can then be edited to include malicious PHP code before being accessed through a public URL.

Remediation

To address this vulnerability, it is recommended to implement server-side validation of file MIME types and magic bytes to ensure that uploaded files correspond with their extensions. A strict whitelist of allowed file extensions should be enforced, rejecting executable extensions like .php. Additionally, file renaming should be restricted to prevent changing extensions to executable formats without further validation, and script or PHP execution should be disabled in directories where files are uploaded.