Xerte Online Toolkits Missing Authentication Vulnerability in elFinder Connector Allowing File Operations and Potential Remote Code Execution

A missing authentication vulnerability has been identified in Xerte Online Toolkits versions 3.15 and earlier, specifically within the elFinder connector endpoint at /editor/elfinder/php/connector.php. The vulnerability arises because an HTTP redirect to unauthenticated users does not terminate the script, allowing PHP execution to continue. This oversight enables unauthenticated attackers to perform various file operations in project media directories, such as creating, uploading, renaming, duplicating, overwriting, and deleting files. Furthermore, this vulnerability can be exploited in conjunction with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file reading.

Impact

Exploitation of this vulnerability could lead to unauthorized file operations on the server, including file uploads, which could be leveraged for remote code execution, according to VulnCheck.

Reproduction

To reproduce this vulnerability, access the elFinder connector endpoint without authentication. The server will redirect to an unauthenticated location, but the absence of a script termination command allows the request to be processed fully. Once the vulnerability is active, file operations can be performed on the project media directories, such as uploading or deleting files. This vulnerability can be chained with path traversal and extension blocklist vulnerabilities to execute arbitrary code remotely.

Remediation

Users can upgrade to Xerte Online Toolkits version 3.15.0, 3.14.0, or 3.13.0 to address this vulnerability.