Prasathmani TinyFileManager Path Traversal Vulnerability in filemanager.php POST Parameter Handler

A path traversal vulnerability exists in Prasathmani TinyFileManager versions up to 2.6. The issue arises in the filemanager.php component, specifically within the POST parameter handler. The vulnerability allows authenticated, non-read-only users to delete arbitrary files outside the application's root directory by manipulating the file[] POST parameter. The mass delete handler fails to properly sanitize input, enabling traversal sequences to escape the web root and target files in the /tmp directory.

Impact

Exploitation of this vulnerability allows for the deletion of any file accessible by the web server process, outside the application's managed directory.

Reproduction

To reproduce this vulnerability, first create a file outside the web root, such as in the /tmp directory. Then, send a POST request to filemanager.php with a crafted file[] parameter that includes traversal sequences to navigate out of the web root and into the /tmp directory, targeting the file created earlier. After the request is processed, verify that the file has been deleted.

Remediation

The vulnerability can be addressed by applying the fm_clean_path() function to each entry in the file[] array before constructing the target path, ensuring consistent input sanitization as applied in other file operation handlers.