hackoclipse

in version 9.14.0 it also bypasses the preg_match but a little lower it brakes because of a programming mistake: https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/upload.php#L73 so when that bug gets fixxed it's very likely it...

later noticed 127.0.0.1 and 0.0.0.0 also worked but at the company i found this vulnerability i used 0.xip.io to bypass there firewall.

hmm after looking closer i was able to find the commit what made the bug: https://github.com/trippo/ResponsiveFilemanager/commit/8478bd4c9ab8e2f85781d00e1656ce4ec861067c after this commit was done a bug was created that url upload doesn't work...

cve assinged: CVE-2020-10212

after more testing i noticed this method also work with extension blacklist enabled in the config. it isn't specificly ico files that work any file what isn't blacklist'ed would work.