CVE-2022-40797

Published: Nov 9, 2022Modified: May 1, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

Affected (1)

Products: Roxyfileman: Roxy Fileman

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Roxyfileman Roxy Fileman	Version 1.4.6

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (8)

http://packetstormsecurity.com/files/169964/Roxy-Fileman-1.4.6-Remote-Shell-Upload.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://gist.github.com/Hadi999/1f66fe7c5a217ca261ebfec36c630d18

Source: cve@mitre.org

Third Party Advisory

https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6

Source: cve@mitre.org

ExploitThird Party Advisory

https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php

Source: cve@mitre.org

Product

http://packetstormsecurity.com/files/169964/Roxy-Fileman-1.4.6-Remote-Shell-Upload.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://gist.github.com/Hadi999/1f66fe7c5a217ca261ebfec36c630d18

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.