A newly found flaw in Voyager PHP, a Laravel management tool, risks RCE on affected servers. Discovered via SonarQube Cloud scans, it lets authenticated users execute code by clicking a crafted link. No patch is available yet.
1-Click RCE Flaw
The flaw in Voyager comes from an arbitrary file write issue in its media upload function. The app checks MIME types against a predefined list, but this check is flawed.
Attackers can exploit this by creating polyglot files, like disguising a PHP script as an image or video. Since file extensions aren’t properly verified, the malicious file could be uploaded, allowing arbitrary PHP code execution on the server.
The vulnerability is worsened by a reflected XSS flaw. Attackers can trick authenticated users into clicking a malicious link on the /admin/compass endpoint, executing arbitrary JavaScript and increasing the risk of server compromise.
These vulnerabilities pose significant risks, especially for applications using the popular Voyager package, which has over 11,000 stars on GitHub. While the threat is lower for users with the proper permissions, the potential for unauthorized code execution is high, especially in compromised admin contexts.
Despite outreach attempts, Voyager has not provided a fix, leaving version 1.8.0 unpatched. Users should carefully assess the risks before using it in production. The discovery of these flaws emphasizes the need for vigilance.
Organizations are advised to audit Voyager usage, enforce strict permissions, and consider alternatives until patches are released. Regular monitoring and proactive security measures are essential.
Leave A Comment