You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We were recently made aware of a vulnerability in mojoPortal where the legacy file manager known before 2017 as the "Alternative File Manager" or "Advanced File Manager" would allow a user with permissions to use it use script extensions (.aspx, .asmx, etc...) when renaming files. Essentially, one could create a script, save it as a .png (or some other allowed filetype), upload it to a mojoPortal site and then rename the file after it was uploaded, replacing the .png with .aspx. The script could then be executed.
This entire issue requires the end user to have the permission to upload files on the site and for the site to be setup to allow execution of files within the Data directory, a practice mojoPortal has long advised against.
A work-around exists for users who do not wish to upgrade their sites. Simply use the URL Rewrite tool in IIS to redirect all requests for /admin/FileManager.aspx and /admin/FileManager.Alt.aspx to /FileManager. The below example code can be copied into the web.config in the rewrite section of system.webServer
Overview
We were recently made aware of a vulnerability in mojoPortal where the legacy file manager known before 2017 as the "Alternative File Manager" or "Advanced File Manager" would allow a user with permissions to use it use script extensions (.aspx, .asmx, etc...) when renaming files. Essentially, one could create a script, save it as a .png (or some other allowed filetype), upload it to a mojoPortal site and then rename the file after it was uploaded, replacing the .png with .aspx. The script could then be executed.
This entire issue requires the end user to have the permission to upload files on the site and for the site to be setup to allow execution of files within the Data directory, a practice mojoPortal has long advised against.
The CVE can be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40341.
Work-Around
A work-around exists for users who do not wish to upgrade their sites. Simply use the URL Rewrite tool in IIS to redirect all requests for /admin/FileManager.aspx and /admin/FileManager.Alt.aspx to /FileManager. The below example code can be copied into the web.config in the rewrite section of system.webServer
The text was updated successfully, but these errors were encountered: