Advisory 2021-05/2 Admin Portal Phar Deserialization
Potential Threat of RCE in FileCloud in Admin Portal
|Security Advisory Date||May 12, 2021|
|Vulnerability Type||Insecure Deserialization|
Low, to take advantage of this vulnerability, admins must have access to the admin portal, must have access to manipulate and setup system paths and must know the physical location of the file path and upload to a path that allows execution
|Versions affected||All versions of FileCloud prior to 184.108.40.20681, on-premises installations only.|
|Version fixed||FileCloud Version 220.127.116.1181|
This vulnerability allowed an admin with full system privileges including file system storage paths to upload phar files to FileCloud and potentially change the php wrapper of a php function to execute remote PHP code.
The latest version of FileCloud fixes this by disallowing phar files to be uploaded to the server.
This has been fixed in FileCloud version 18.104.22.16881, which prevents phar files from being uploaded into FileCloud.
What you should do
- If you are using a FileCloud on-premises installation, please update it to the latest version, which is 22.214.171.12481 or greater.
- If you are using FileCloud online, you are not affected.
If you have any questions about this advisory, please contact FileCloud support.