Share
## https://sploitus.com/exploit?id=PACKETSTORM:216875
=============================================================================================================================================
    | # Title     : Voyager 1.8.0 Arbitrary File Upload Leading to Potential Remote Code Execution                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/thedevdojo/voyager                                                                                       |
    =============================================================================================================================================
    
    [+] Affected Component : TCG\Voyager\Http\Controllers\VoyagerController::upload()
    
    [+] Affected Versions  : Voyager prior to hardening of upload validation
    
    [+] Confirmed on default installations using:
    
    public storage disk
    
    storage:link enabled
    
    Image upload via Rich Text Editor (TinyMCE)
    
    [+] Vulnerability Type
    
    Arbitrary File Upload
    
    Insufficient MIME Validation
    
    Trusting Client-Supplied File Extension
    
    Potential Remote Code Execution (RCE)
    
    [+] Description : The Voyager upload endpoint fails to properly validate uploaded image files. The application relies on:
    
    guessClientExtension()
    
    client-controlled original filename
    
    extension-based allowlist
    
    [+] An attacker with minimal privileges (any role allowed to upload images in a Rich Text Box) can upload a polyglot file masquerading as an image while embedding server-side executable code.
        Because the file is stored using the original extension and placed in a web-accessible directory, this can lead to arbitrary code execution under certain server configurations.
    
    [+] Vulnerable Logic :
    
    $ext = $file->guessClientExtension();
    
    if (in_array($ext, ['jpeg', 'jpg', 'png', 'gif'])) {
        $image->encode($file->getClientOriginalExtension(), 75);
        Storage::disk(...)->put($fullPath, (string) $image, 'public');
    }
    
    [+] Issues :
    
    guessClientExtension() is client-influenced
    
    Original extension is reused during encoding
    
    No signature-based image verification
    
    Publicly accessible storage path
    
    [+] POC :
    
    [+] bypass logic only
    
    Step 1 โ€“ Prepare a Polyglot Image
    
    Create a file that: Starts with a valid image header (e.g. GIF/JPEG)
    
    Contains non-executable marker content for verification
    
    [+] Example :
    
    GIF89a
    <NON_EXECUTABLE_TEST_MARKER>
    
    [+] Save as: test.php.gif
    
    Note: No PHP code is required to demonstrate the flaw.
    
    Step 2 โ€“ Upload via Voyager Editor
    
    Login as any user with Rich Text Box upload permission
    
    [+] Insert image via editor :
    
    Upload test.php.gif
    
    Step 3 โ€“ Observe Stored File
    
    The file will be stored as:
    
    /storage/{slug}/{date}/test.php.gif
    
    [+] This confirms :
    
    Extension preservation
    
    Lack of enforced re-encoding
    
    Client filename trust
    
    Step 4 โ€“ Impact Confirmation
    
    If server-side execution is enabled for misconfigured MIME handlers or future changes:
    
    This upload path becomes a code execution primitive
    
    Risk escalates from File Upload โ†’ RCE
    
    [+] Impact
    
    An attacker may:
    
    Upload arbitrary files
    
    Bypass intended image-only restriction
    
    Potentially execute server-side code
    
    Escalate privileges or compromise the application
    
    [+] Mitigation :
    
    Force server-side extension
    
    $image->encode('jpg', 75);
    
    Validate image via signature (magic bytes)
    
    Reject mixed or double extensions
    
    Store uploads outside web root
    
    Enforce strict MIME validation
    
    Add upload size & rate limits
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================