Advisory 2021-05/2 Admin Portal Phar Deserialization

Potential Threat of RCE in FileCloud in Admin Portal

Security Advisory DateMay 12, 2021
Vulnerability TypeInsecure Deserialization
Severity factors

Low, to take advantage of this vulnerability, admins must have access to the admin portal, must have access to manipulate and setup system paths and must know the physical location of the file path and upload to a path that allows execution

Versions affectedAll versions of FileCloud prior to 21.1.0.15081, on-premises installations only. 
Version fixedFileCloud Version 21.1.0.15081

Description

This vulnerability allowed an admin with full system privileges including file system storage paths to upload phar files to FileCloud and potentially change the php wrapper of a php function to execute remote PHP code. 
The latest version of FileCloud fixes this by disallowing phar files to be uploaded to the server.

Fix

This has been fixed in FileCloud version 21.1.0.15081, which prevents phar files from being uploaded into FileCloud.

What you should do

  • If you are using a FileCloud on-premises installation, please update it to the latest version, which is 21.1.0.15081 or greater.
  • If you are using FileCloud online, you are not affected.

If you have any questions about this advisory, please contact FileCloud support