Xerte Online Toolkits Authentication Bypass and Path Traversal Vulnerability Leading to Remote Code Execution

An incomplete input validation vulnerability has been identified in the elFinder connector endpoint of Xerte Online Toolkits, affecting versions through 3.15. This vulnerability allows unauthenticated attackers to upload malicious PHP code by exploiting an incorrect regex pattern that fails to block certain PHP-executable extensions, specifically .php4. This flaw can be combined with authentication bypass and path traversal vulnerabilities to execute arbitrary operating system commands on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server.

Reproduction

To reproduce this vulnerability, an attacker can upload a file through the elFinder connector that includes a .php4 extension, taking advantage of the regex validation flaw. After uploading the file, the attacker can traverse the file system to execute the uploaded PHP code, potentially leading to the execution of arbitrary commands on the server.

Remediation

Users are advised to update to Xerte Online Toolkits version 3.15.0 or later, and to run the upgrade.php script after updating. Instructions for downloading the latest version can be found on the Xerte Community Downloads page.