Critical vulnerabilities in elFinder web file manager leave susceptible servers to take control

Adam Bannister August 23, 2021 at 14:22 UTC

Updated: August 31, 2021 at 17:54 UTC

Immediate triage is recommended as researchers warn that exploitation in the wild is likely

UPDATE Critical vulnerabilities in elFinder, the popular open source web file manager, can allow unauthenticated attackers to execute arbitrary PHP code on servers hosting the main elFinder PHP connector.

Security researchers have documented five chains of vulnerability that combine “harmless bugs” to forge chains of exploitation capable of taking control of servers.

Fortunately, the flaws have recently been corrected. Thomas Chauchefoin, vulnerability researcher at SonarSource, urged users to update their systems as soon as possible.

Learn more about the latest infosec research news

“There is no doubt that these vulnerabilities will be exploited in the wild as well, as exploits targeting older versions have been released and connector filenames are part of the path builds to look for when trying to compromise websites.” , he said in a statement. blog post.

“The execution of arbitrary code has been easily demonstrated, and attackers will have little difficulty reproducing it,” he added.

Other risky products

Worse yet, the impact potentially extends well beyond elFinder. “All of these classes of bugs are very common in software that exposes file systems to users and are likely to impact a wide range of products,” explained Chauchefoin.

JavaScript-based elFinder, which is used to manage local and remote files, can be included in many frameworks through third-party packages for Laravel and Symfony.

It is also used by WordPress File Manager, which works on over 700,000 websites. “But you need an administrator account to access the connector and exploit the vulnerabilities that we discovered,” said Chauchefoin. The daily sip.


All classified as CVSS 9.8, the flaws include four issues affecting elFinder 2.1.58 and lower that can allow attackers to move or delete arbitrary files, as well as argument and race condition injection bugs (CVE-2021-32682).

Versions prior to 2.1.58 are also affected by a remote code execution (RCE) bug which is exploited by executing PHP code in a file – but only if the server parses the files as PHP (CVE-2021-23394).

All five flaws except the race condition bug affect elFinder in its default “safe” configuration, which was introduced as a result of nature attacks targeting the previous configuration of the app, according to Chauchefoin.

When asked which vulnerability was the most interesting or the most impacting, Chauchefoin cited the argument injection bug in the archive manager. “Argument injections are always ubiquitous and easy to ignore when reviewing code, but 99% of the time they can be exploited to execute arbitrary commands on the server,” he explained.

This class of bugs allowed us to compromise most of the PHP supply chain earlier this year, so it’s one of my personal favorites.

The vulnerabilities were reported to project maintainers in March and fixed in version 2.1.59, released in June. SonarSource released the technical details on August 17th.

“Very sensitive to security”

Chauchefoin expressed hope that his team’s research results would help “break future bug chains and reduce the risk of similar problems.”

He added, “We have also learned that working with paths is not easy and that extra steps need to be taken: perform extra checks in ‘low level’ functions, using and with confidence (and knowing their limits!) controlled data.

Chauchefoin suggested that web file managers remain a security concern.

“An application’s interaction with the file system is always very security sensitive, as minor functional bugs can easily be the source of exploitable vulnerabilities,” he explained.

“This observation is especially true in the case of web file managers, whose role is to mimic the functionality of an entire file system and expose it to the customer’s browser transparently.”

This article was updated with comments from Thomas Chauchefoin of SonarSource on August 31.

YOU MAY ALSO LIKE XSS vulnerability in popular WordPress plugin SEOPress could allow full site takeover

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *