The exploit demonstrates a file extension bypass vulnerability in Roxy Fileman <= 1.4.4, allowing an attacker to rename a file to a forbidden extension (e.g., .php) via the move function, which lacks proper validation. This can lead to remote code execution if the renamed file contains malicious code.
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:Roxy Fileman <= 1.4.4
No auth needed
Prerequisites:Access to the Roxy Fileman interface · A file already uploaded to the server