SRC-2021-0021 : League flysystem removeFunkyWhiteSpace Time-Of-Check Time-Of-Use File Write Remote Code Execution Vulnerability

CVE ID: CVE-2021-32708

CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: League

Affected Products: flysystem

Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of League flysystem. Authentication may not be required to exploit this vulnerability. The specific flaw exists within the removeFunkyWhiteSpace function. The issue results from a change in the supplied filename which can introduce a time-of-check time-of-use condition. An attacker can leverage this vulnerability to write arbitrary files on a target web server.

Vendor Response:

League has issued an update to correct this vulnerability. More details can be found at: https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm

Disclosure Timeline:

• 2021-06-23 – Sent to the lead developer Frank de Jonge ([email protected])

• 2021-06-23 – Coordinated public release of advisory

Proof of Concept:

• /pocs/src-2021-0021.php.txt

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team