elFinder Command Injection Vulnerability in PHP Connector

A command injection vulnerability has been identified in elFinder versions through 2.1.58. This issue allows attackers to execute arbitrary commands on the server via the PHP connector, even with minimal configuration. The vulnerability arises in the archive command, where the name parameter, although sanitized, can still be manipulated to include command execution arguments. Exploitation is possible by uploading a file, creating a zip archive with a crafted name that includes command injection payloads, and then executing the archive command.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running as the www-data user.

Reproduction

To reproduce this vulnerability, upload a text file using the elFinder PHP connector. After the upload, create a zip archive through the elFinder interface, using a name that includes the '-TmTT' argument. This will inject a command to be executed on the server. Once the archive is created, the injected command will be executed, demonstrating the command injection vulnerability.

Remediation

Users are advised to update elFinder to version 2.1.59 or later. For those unable to update, it is recommended to secure the PHP connector with authentication.