Silverstripe/FD1

[mcdruid]

No description provided.

[nollium]

Thank you for this contribution, I've tested the gadget chain and it works on the specified versions, I'm merging this.

[nollium]

I've also checked the fix you proposed to the Silverstripe project.

I just wanted to warn you that the fix is partial, and this gadget chain can still be used for malicious purposes even after the fix is applied:

The added check only verifies that the file basename starts with a given prefix, which effectively prevents arbitrary file deletion, but, for example, path traversal and the ftp protocol is not blocked, so this gadget chain can be used for connect-backs.

UNC Paths are also usable on Windows, which makes the gadget chains usable to coerce an authentication to an attacker-controlled host, which can then be used for relay attacks.

It seems the fixes you proposed for Silverstripe/FD1, Grav/FD1, phpThumb/FD1 (and maybe others) all suffer from this same issue.