I have set up a Docker environment using the tinyfilemanager.php code and the Dockerfile provided by https://github.com/prasathmani/tinyfilemanager. The environment was configured with secure user options in advance to conduct a security assessment.
I log in using the provided account (admin/admin@123). The vulnerability occurs in the file upload functionality.
When a normal image file (test.png) is uploaded, it is successfully uploaded as shown below.
Before testing the file upload vulnerability, I verified whether files could be uploaded to the server side. The test resulted in an error, confirming that the upload failed.
Since only txt, gif, png, and jpg are allowed in allowed_file_extensions and allowed_upload_extensions, proper validation is applied for those parameters. However, the fullpath parameter lacks sufficient validation, allowing the file extension to be bypassed and a web shell to be uploaded.
As a result, the file was successfully uploaded as test.php, and accessing it confirms that it contains the shell code, as shown below.
When examining the code around fullpath, you can see that apart from fm_clean_path, there is no additional filtering or validation process. The fm_clean_path function filters out ../, but since no directory traversal is needed and only the file extension needs to be changed, the code remains vulnerable. Therefore, if the filename simply includes a .php extension, it can lead to an RCE vulnerability.