Hadi999/Reference.txt

## Reference.txt
> [Suggested description]
> Roxy Fileman 1.4.6 suffers from a Remote Code Execution (RCE)
> vulnerability caused by a weak upload control.
>
> ------------------------------------------
>
> [Additional Information]
> The Vendor website is down, in order to download the application we must use Internet Archive.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Roxyfileman
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Roxy Fileman - 1.4.6
>
> ------------------------------------------
>
> [Affected Component]
> In the configuration file 'conf.json' which is a JSON array, the key "FORBIDDEN_UPLOADS" contains as value all the file extensions forbidden such as php php4 php5.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> In order to exploit this Vulnerability, an attacker needs to upload a PHP file using the following extension .phar , this extension isn't forbidden by the upload form.
>
> ------------------------------------------
>
> [Reference]
> https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php
>
> ------------------------------------------
>
> [Discoverer]
> Hadi Mene
	> [Suggested description]
	> Roxy Fileman 1.4.6 suffers from a Remote Code Execution (RCE)
	> vulnerability caused by a weak upload control.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> The Vendor website is down, in order to download the application we must use Internet Archive.
	>
	> ------------------------------------------
	>
	> [Vulnerability Type]
	> Incorrect Access Control
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Roxyfileman
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> Roxy Fileman - 1.4.6
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> In the configuration file 'conf.json' which is a JSON array, the key "FORBIDDEN_UPLOADS" contains as value all the file extensions forbidden such as php php4 php5.
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Code execution]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> In order to exploit this Vulnerability, an attacker needs to upload a PHP file using the following extension .phar , this extension isn't forbidden by the upload form.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Hadi Mene