Spatie Laravel Media Library File Upload Restriction Bypass Vulnerability

A file upload restriction bypass vulnerability has been identified in Spatie Laravel Media Library versions prior to 11.23.0. The issue resides in the default file name sanitizer, which only checks the final file extension. This oversight allows double-extension files, such as 'shell.php.jpg', to circumvent the blocklist, as 'pathinfo()' retains the inner '.php' portion in the saved file name. Additionally, the blocklist fails to include certain executable extensions like '.php6', '.shtml', and '.htaccess'. While the double-extension bypass can be exploited to execute PHP files under a legacy Apache AddHandler configuration, the general blocklist oversight does not require such conditions.

Impact

Exploitation of this vulnerability could lead to the execution of malicious PHP files uploaded to the server, particularly in environments with a legacy Apache configuration that allows such executions.

Reproduction

To reproduce this vulnerability, upload a file with a double extension that includes a disallowed inner extension, such as 'shell.php.jpg', to a server running a vulnerable version of Spatie Laravel Media Library. Ensure that the server has a legacy Apache AddHandler configuration that permits the execution of PHP files. After uploading, the file will bypass the blocklist and execute PHP code, demonstrating the vulnerability.

Remediation

Users can update to Spatie Laravel Media Library version 11.23.0 or later, where this vulnerability has been addressed. For those unable to update, the blocked extensions can be configured in 'media-library.php'.