Exploit for Path Traversal in Tinyfilemanager_Project Tinyfilemanager CVE-2021-40964 CVE-2021-45010

Name: Exploit for Path Traversal in Tinyfilemanager_Project Tinyfilemanager CVE-2021-40964 CVE-2021-45010
Rating: 5 (307 reviews)
2025-12-27 | CVSS 8.8
## https://sploitus.com/exploit?id=BCD086F4-530A-5982-8220-4B6A9732D6D8
# TinyFileManager v2.6 - File Upload Extension Bypass to Remote Code Execution




> **Status:** Pending CVE Assignment

> **Discovered:** 2025-12-27

> **Researcher:** Patrick (Poppy) and his AI sidekick Claudette

---

## Executive Summary

A critical vulnerability exists in TinyFileManager v2.6 that allows authenticated users to bypass file extension restrictions and upload arbitrary PHP files, leading to **Remote Code Execution (RCE)** on the underlying server.

The root cause is a **parameter mismatch vulnerability** in the file upload handler: the application validates the file extension using one variable (`$_FILES[file][name]`) but saves the file using a completely different user-controlled parameter (`$_REQUEST[fullpath]`). This creates a trivial bypass where an attacker uploads `innocent.jpg` but saves it as `malicious.php`.

**Impact:** Complete server compromise. An attacker with low-privilege credentials (or default credentials, which are often unchanged) can execute arbitrary system commands as the web server user, leading to data theft, lateral movement, ransomware deployment, or full infrastructure takeover.

---

## Vulnerability Details

| Field | Value |
|-------|-------|
| **Product** | [Tiny File Manager](https://github.com/prasathmani/tinyfilemanager) |
| **Vendor** | prasathmani |
| **Affected Versions** | 


---

## Impact Assessment

- **5,700+ GitHub stars** and **1,800+ forks**
- Deployed on shared hosting, Docker, NAS devices, routers
- Many use default credentials exposed to the internet

---

## Remediation

Add extension validation for `$fullPathInput` after line 985 to check the save path extension matches allowed extensions.

---

## Timeline

| Date | Event |
|------|-------|
| 2025-12-27 | Vulnerability discovered |
| 2025-12-27 | PoC exploit developed |
| 2025-12-XX | Vendor notified |
| TBD | CVE assigned |
| TBD | Public disclosure |

---

## References

- [TinyFileManager GitHub](https://github.com/prasathmani/tinyfilemanager)
- [CWE-434](https://cwe.mitre.org/data/definitions/434.html)
- [Prior CVE-2021-40964](https://www.exploit-db.com/exploits/50828)
- [Prior CVE-2021-45010](https://fluidattacks.com/advisories/mosey)

---

**Discovered by:** Patrick (Poppy) and his AI sidekick Claudette
**Date:** December 27, 2025