CVE-2021-40964 in TinyFileManagerinfo

Summary

by MITRE • 09/16/2021

A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/31/2025

The vulnerability CVE-2021-40964 represents a critical path traversal flaw in TinyFileManager version 2.4.6 and earlier, exposing systems to arbitrary file write operations. This vulnerability falls under the Common Weakness Enumeration category CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal. The flaw enables attackers to manipulate the file upload process by exploiting the "fullpath" parameter, allowing them to escape the intended working directory boundaries and write malicious files anywhere on the target system.

The technical implementation of this vulnerability occurs within the file upload functionality of TinyFileManager where the application fails to properly validate or sanitize the fullpath parameter. When an authenticated attacker with administrative credentials or an attacker exploiting a separate CSRF vulnerability submits a file upload request, they can include traversal sequences such as "../" or "..\" in the fullpath parameter. These sequences allow the attacker to navigate up the directory tree and write files to arbitrary locations on the server filesystem, bypassing the intended directory restrictions.

The operational impact of this vulnerability is severe and multifaceted, potentially allowing attackers to achieve complete system compromise. An attacker could upload malicious files such as web shells, backdoors, or other payload types to critical system directories, enabling persistent access and further exploitation. The vulnerability's exploitation requires either administrative credentials or a successful CSRF attack, but once achieved, it provides unrestricted file writing capabilities that can lead to data exfiltration, system takeover, or deployment of additional malware. The attack surface is particularly concerning as it affects all versions up to and including 2.4.6, indicating this was a long-standing issue without proper input validation.

Mitigation strategies for CVE-2021-40964 should focus on immediate patching of the affected TinyFileManager versions to address the path traversal vulnerability. Organizations should implement proper input validation and sanitization for all file upload parameters, specifically ensuring that the fullpath parameter does not contain traversal sequences. The solution should include whitelisting acceptable directory paths and implementing strict file path validation that rejects any input containing "../" or "..\" sequences. Additionally, organizations should enforce proper authentication controls and CSRF protection mechanisms to prevent unauthorized access to administrative functions. Security monitoring should be enhanced to detect unusual file upload patterns or attempts to write files to unexpected system directories. The vulnerability demonstrates the importance of proper input validation and access control implementation, aligning with ATT&CK technique T1078 for valid accounts and T1566 for credential access through web application attacks. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other file management systems and web applications.

Reservation

09/13/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.08235

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!