CVE-2022-40490
📋 TL;DR
CVE-2022-40490 is a Cross-Site Scripting (XSS) vulnerability in Tiny File Manager v2.4.7 and below that allows attackers to execute arbitrary JavaScript code by injecting malicious payloads into file names. This affects any system running vulnerable versions of Tiny File Manager, potentially compromising user sessions and browser security.
💻 Affected Systems
- Tiny File Manager
📦 What is this software?
Tiny File Manager by Prasathmani
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or install malware through browser exploitation.
Likely Case
Session hijacking, credential theft, or defacement of the file manager interface through injected scripts.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available on GitHub. Exploitation requires minimal technical skill as it involves simple XSS payload injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.4.8 and above
Vendor Advisory: https://github.com/prasathmani/tinyfilemanager
Restart Required: No
Instructions:
1. Download latest version from GitHub repository. 2. Replace existing installation files. 3. Verify file name sanitization is working.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize file names before display
Modify PHP code to use htmlspecialchars() or similar sanitization when outputting file names
Content Security Policy
allImplement strict CSP headers to prevent script execution
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable file upload functionality completely
- Implement web application firewall (WAF) rules to block XSS payloads in file names
🔍 How to Verify
Check if Vulnerable:
Check if file names containing XSS payloads (e.g., <script>alert('xss')</script>.txt) execute JavaScript when displayed in the file manager interface.Check Version:
Check the version number in the Tiny File Manager interface or examine the source code for version markers.Verify Fix Applied:
Test with same XSS payloads to ensure they are properly sanitized and displayed as plain text without script execution.📡 Detection & Monitoring
Log Indicators:
- File uploads with suspicious names containing script tags or JavaScript code
- Unusual file name patterns in access logs
Network Indicators:
- HTTP requests with file names containing XSS payload patterns
SIEM Query:
source="web_logs" AND (file_name="*<script>*" OR file_name="*javascript:*" OR file_name="*onerror=*" OR file_name="*onload=*")