Miggo Logo
Miggo Vulnerability Database
CVE-2018-9209

CVE-2018-9209: FineUploader php-traditional-server unauthenticated arbitrary file upload vulnerability

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-9209
GHSA ID
GHSA-j78w-6r73-22vh
EPSS Score
0.82587%
CWE
CWE-434
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fineuploader/php-traditional-servercomposer<= 1.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues in endpoint.php: 1) No authentication requirement for uploads, and 2) The $uploader->allowedExtensions array being empty by default (line 38), disabling file type filtering. While the allowedExtensions configuration is set in endpoint.php, the actual vulnerability manifests in the UploadHandler::handle() method which executes the upload logic using these insecure defaults. The advisory explicitly references lines 37-38 in endpoint.php where these insecure configurations are set, and the handle() method is the entry point that processes uploads without performing critical security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un*ut**nti**t** *r*itr*ry *il* uplo** vuln*r**ility in *in*Uplo***r p*p-tr**ition*l-s*rv*r <= v*.*.*

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in `*n*point.p*p`: *) No *ut**nti**tion r*quir*m*nt *or uplo**s, *n* *) T** `$uplo***r->*llow***xt*nsions` *rr*y **in* *mpty *y ****ult (lin* **), *is**lin* *il* typ* *ilt*rin*. W*il* t** `*llow***xt*nsions