Headline
CVE-2023-4195: Prevent uploading .phps files · Cockpit-HQ/Cockpit@800c05f
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
Expand Up
@@ -78,7 +78,7 @@
$_sizeAllowed = $max_size ? filesize($files[‘tmp_name’][$i]) < $max_size : true;
// prevent uploading php files
if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), ['php’, 'phar’, ‘phtml’])) {
if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), ['php’, 'phar’, 'phtml’, ‘phps’])) {
$_isAllowed = false;
}
Expand Down
Related news
GHSA-xcq3-7pf3-5jvc: Cockpit PHP Remote File Inclusion vulnerability
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Users may upload php files through the system file upload utility to obtain remote code execution.