Hello,
I have identified a security vulnerability affecting Phoca Commander (v4.0.0 & v5.0.1) and have sent a detailed report to info@phoca.cz as well as through the contact form on your website.
I’m posting here just to ensure the message was received, as I understand this is a sensitive issue and I want to make sure it doesn't go unnoticed. The report includes technical details and reproduction steps for a remote code execution (RCE) scenario caused by improper file validation.
Please let me know if you’ve received the report or if there’s a preferred way to communicate securely.
Best regards,
SJ
Security vulnerability affecting Phoca Commander (v4.0.0 & v5.0.1)
-
Security_researcher
- Phoca Newbie
- Posts: 1
- Joined: 29 Jul 2025, 11:01
-
Jan
- Phoca Hero
- Posts: 48996
- Joined: 10 Nov 2007, 18:23
- Location: Czech Republic
- Contact:
Re: Security vulnerability affecting Phoca Commander (v4.0.0 & v5.0.1)
Hi, thank you for the info, I have got the information, I have replied in email.
As written in Phoca Commander page, or when installing or running Phoca Commander. Phoca Commander works like FTP, users can upload their own dangerous scripts to their servers. The question is if administrator informed by all these warnings uploads dangerous file to the server (which can be done by FTP too) and such file will be stored on server, if we can mark this as vulnerability.
As written in email, if the ZIP function does not have control mechanism, we can disable the unzip function for security reasons in next versions. Skilled administrators will lose an important function, but it will be better from a security perspective.
But the main function of Phoca Commander is alternative to FTP. So for example, if we do not allow uploading or unzipping PHP files on server per FTP, then we in fact cannot use Joomla on such server. One of the most used feature is just upload or unzip PHP files on server (with help of FTP or with help of Phoca Commander). As written in warnings, Phoca Commander is only backend component and should be used for admins only, not for not admin users. If we will not allow uploading or unzipping PHP files, then Phoca Commander will be not more alternative to FTP and in fact not useful anymore.
Please let me know per mail, so we can find solution so I can release new versions.
Thank you,
Jan
As written in Phoca Commander page, or when installing or running Phoca Commander. Phoca Commander works like FTP, users can upload their own dangerous scripts to their servers. The question is if administrator informed by all these warnings uploads dangerous file to the server (which can be done by FTP too) and such file will be stored on server, if we can mark this as vulnerability.
As written in email, if the ZIP function does not have control mechanism, we can disable the unzip function for security reasons in next versions. Skilled administrators will lose an important function, but it will be better from a security perspective.
But the main function of Phoca Commander is alternative to FTP. So for example, if we do not allow uploading or unzipping PHP files on server per FTP, then we in fact cannot use Joomla on such server. One of the most used feature is just upload or unzip PHP files on server (with help of FTP or with help of Phoca Commander). As written in warnings, Phoca Commander is only backend component and should be used for admins only, not for not admin users. If we will not allow uploading or unzipping PHP files, then Phoca Commander will be not more alternative to FTP and in fact not useful anymore.
Please let me know per mail, so we can find solution so I can release new versions.
Thank you,
Jan
If you find Phoca extensions useful, please support the project