CVE-2024-21546
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on servers running vulnerable versions of the UniSharp Laravel File Manager package. By uploading a PHP file with a valid mimetype and inserting a '.' character after the '.php' extension, attackers can bypass security checks and achieve remote code execution. Any Laravel application using unisharp/laravel-filemanager before version 2.9.1 is affected.
💻 Affected Systems
- UniSharp Laravel File Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
File system access, data exfiltration, backdoor installation, and potential lateral movement within the network.
If Mitigated
Limited impact if proper file upload restrictions, web application firewalls, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires file upload access but is straightforward once that access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1
Vendor Advisory: https://github.com/UniSharp/laravel-filemanager/commit/8170760c0ae316d77b9363cd4c76ab68d3f63f0b
Restart Required: No
Instructions:
1. Update composer.json to require 'unisharp/laravel-filemanager: ^2.9.1'. 2. Run 'composer update unisharp/laravel-filemanager'. 3. Clear Laravel cache with 'php artisan cache:clear'.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable file upload functionality in the Laravel File Manager configuration
Edit config/lfm.php and set 'enabled' => false for upload configurations
Restrict file extensions
allConfigure the file manager to reject .php files entirely
Edit config/lfm.php and modify 'valid_file_mimetypes' and 'valid_file_extensions' arrays
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing '.php.' patterns in file uploads
- Restrict network access to the file manager interface using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check composer.lock for 'unisharp/laravel-filemanager' version. If version is below 2.9.1, the system is vulnerable.Check Version:
grep -A2 -B2 'unisharp/laravel-filemanager' composer.lockVerify Fix Applied:
Confirm composer.lock shows version 2.9.1 or higher for 'unisharp/laravel-filemanager'.📡 Detection & Monitoring
Log Indicators:
- File upload attempts with '.php.' in filename
- Unusual POST requests to file upload endpoints
- Execution of unexpected PHP files
Network Indicators:
- HTTP requests with multipart/form-data containing '.php.' patterns
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_logs" AND (uri_path="*upload*" OR uri_path="*filemanager*") AND (file_name="*.php.*" OR user_agent="*curl*" OR user_agent="*wget*")