[GH-ISSUE #771] security hole found #527

New issue

Closed

opened 2026-03-02 15:59:31 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 15:59:31 +03:00

Owner

Originally created by @wiormax on GitHub (Apr 9, 2022).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/771

you can edit any file even if you have excluded in $exclude_items in fact you can edit index.php if that is the name of your tinyfilemanager file so my solution will avoid this issue

chenge this

// file editor from
if ($file == '' || !is_file($path . '/' . $file)) { fm_set_msg(lng('File not found'), 'error'); fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH)); }

// file editor to
if ($file == '' || !is_file($path . '/' . $file) || in_array($file, $GLOBALS['exclude_items'])) { fm_set_msg(lng('File not found'), 'error'); fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH)); }

good luck

Originally created by @wiormax on GitHub (Apr 9, 2022). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/771 you can edit any file even if you have excluded in $exclude_items in fact you can edit index.php if that is the name of your tinyfilemanager file so my solution will avoid this issue chenge this // file editor from ` if ($file == '' || !is_file($path . '/' . $file)) { fm_set_msg(lng('File not found'), 'error'); fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH)); }` // file editor to ` if ($file == '' || !is_file($path . '/' . $file) || in_array($file, $GLOBALS['exclude_items'])) { fm_set_msg(lng('File not found'), 'error'); fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH)); }` good luck

kerem closed this issue

2026-03-02 15:59:32 +03:00

kerem commented

2026-03-02 15:59:33 +03:00

Author

Owner

@prasathmani commented on GitHub (Nov 19, 2022):

This issue is addressed in the new release.

@prasathmani commented on GitHub (Nov 19, 2022): This issue is addressed in the new [release](https://github.com/prasathmani/tinyfilemanager/releases/tag/2.5.0).