Status: Pending CVE Assignment
Discovered: 2025-12-27
Researcher: Patrick (Poppy) and his AI sidekick Claudette
A critical vulnerability exists in TinyFileManager v2.6 that allows authenticated users to bypass file extension restrictions and upload arbitrary PHP files, leading to Remote Code Execution (RCE) on the underlying server.
The root cause is a parameter mismatch vulnerability in the file upload handler: the application validates the file extension using one variable ($_FILES[file][name]) but saves the file using a completely different user-controlled parameter ($_REQUEST[fullpath]). This creates a trivial bypass where an attacker uploads innocent.jpg but saves it as malicious.php.
Impact: Complete server compromise. An attacker with low-privilege credentials (or default credentials, which are often unchanged) can execute arbitrary system commands as the web server user, leading to data theft, lateral movement, ransomware deployment, or full infrastructure takeover.
| Field | Value |
|---|---|
| Product | Tiny File Manager |
| Vendor | prasathmani |
| Affected Versions | <= 2.6 (current latest) |
| Vulnerability Type | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
| CVSS 3.1 Score | 8.8 HIGH |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Authentication | Required (but default creds often work) |
Admin: admin / admin@123
User: user / 12345
The vulnerability exists in tinyfilemanager.php within the file upload handler (lines 965-1062).
The fullpath parameter comes directly from the HTTP request. While fm_clean_path() sanitizes directory traversal, it does NOT validate the file extension.
The application extracts the extension from the uploaded files original name in the Content-Disposition header.
The extension check uses the filename extension. If allowed extensions are jpg,png,gif, then shell.jpg passes.
THE BUG: The file is saved to $fullPathInput - NOT to $filename! The validation checked innocent.jpg but the file is saved as whatever the attacker specified.
If you include ajax=true in your POST request, it gets intercepted by the AJAX handler block at line 462 which does NOT handle uploads. The upload handler at line 950 is outside this block. Including ajax=true causes uploads to silently fail.
python exploit/tfm_stealth.py "http://target/tinyfilemanager.php" "id"The stealth exploit embeds the command directly, executes once, and self-destructs - leaving no forensic artifacts.
- 5,700+ GitHub stars and 1,800+ forks
- Deployed on shared hosting, Docker, NAS devices, routers
- Many use default credentials exposed to the internet
Add extension validation for $fullPathInput after line 985 to check the save path extension matches allowed extensions.
| Date | Event |
|---|---|
| 2025-12-27 | Vulnerability discovered |
| 2025-12-27 | PoC exploit developed |
| 2025-12-XX | Vendor notified |
| TBD | CVE assigned |
| TBD | Public disclosure |
Discovered by: Patrick (Poppy) and his AI sidekick Claudette Date: December 27, 2025