Xerte Online Toolkits Path Traversal Vulnerability in elFinder Connector

A relative path traversal vulnerability has been identified in Xerte Online Toolkits versions 3.15 and earlier. The issue resides in the elFinder connector endpoint, specifically in the file '/editor/elfinder/php/connector.php'. The vulnerability arises because the 'name' parameter in rename commands is not properly sanitized, allowing attackers to inject directory traversal sequences. This exploitation could lead to moving files from project media directories to arbitrary locations on the filesystem. Such actions might overwrite application files, introduce stored cross-site scripting, or, when combined with other vulnerabilities, enable unauthenticated remote code execution by relocating PHP code files to the application root.

Impact

Exploitation of this vulnerability could result in unauthorized file access and manipulation, including overwriting critical application files, introducing cross-site scripting vulnerabilities, or achieving remote code execution by exploiting the application's PHP execution capabilities.

Reproduction

To reproduce this vulnerability, send a rename command through the elFinder connector while including directory traversal sequences in the 'name' parameter. This can be done by manipulating the request to the '/editor/elfinder/php/connector.php' endpoint, ensuring that the 'name' parameter bypasses the application's path validation. Once the file is moved to a location where it can be executed, the uploaded PHP code can be executed, leading to remote code execution.

Remediation

Users are advised to update to Xerte Online Toolkits version 3.15.0 or later, and to run the upgrade.php script after updating. For versions 3.14 and 3.13, similar update procedures apply.