CVE-2020-12103
📋 TL;DR
This vulnerability in Tiny File Manager 2.4.1 allows authenticated users to create backup copies of files with .bak extension outside their intended directory scope. Attackers can potentially access sensitive files by manipulating backup paths. Only systems running the vulnerable version with authenticated user access are affected.
💻 Affected Systems
- Tiny File Manager
📦 What is this software?
Tiny File Manager by Prasathmani
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could create backup copies of sensitive system files (like configuration files, credentials) in accessible locations, leading to information disclosure or privilege escalation.
Likely Case
Authenticated users could access files they shouldn't normally have permission to view by creating backups in accessible directories.
If Mitigated
With proper access controls and directory permissions, impact is limited to files within the user's authorized scope.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public details and proof-of-concept are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit a0c595a8e11e55a43eeaa68e1a3ce76365f29d06
Vendor Advisory: https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06
Restart Required: No
Instructions:
1. Update to latest Tiny File Manager version. 2. Apply commit a0c595a8e11e55a43eeaa68e1a3ce76365f29d06. 3. Verify the ajax file backup functionality properly validates file paths.
🔧 Temporary Workarounds
Disable backup functionality
allTemporarily disable the ajax file backup feature until patching
Modify Tiny File Manager configuration to disable backup functionality or restrict access to backup endpoints
Restrict file system permissions
linuxLimit the web server user's file system permissions to prevent directory traversal
chmod -R 750 /path/to/tinyfilemanager
chown -R www-data:www-data /path/to/tinyfilemanager
🧯 If You Can't Patch
- Implement strict access controls and monitor authenticated user activities
- Use web application firewall rules to block suspicious backup requests
🔍 How to Verify
Check if Vulnerable:
Check if running Tiny File Manager version 2.4.1. Review source code for the vulnerable ajax backup functionality.Check Version:
Check the version in the Tiny File Manager interface or review the source code version informationVerify Fix Applied:
Verify the commit a0c595a8e11e55a43eeaa68e1a3ce76365f29d06 is applied. Test backup functionality with path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple backup file creation requests
- Requests with unusual file paths or directory traversal patterns
- Unauthorized file access attempts
Network Indicators:
- HTTP POST requests to backup endpoints with path manipulation
- Unusual file download patterns
SIEM Query:
source="web_server" AND (url="*backup*" OR url="*ajax*backup*") AND (path="*../*" OR path="*..\\*")🔗 References
- https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/
- https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06
- https://github.com/prasathmani/tinyfilemanager/issues/357
- https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/
- https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06
- https://github.com/prasathmani/tinyfilemanager/issues/357
