efw4.X Path Traversal Vulnerability in elfinder_paste Function Allows Arbitrary File Operations

A path traversal vulnerability has been identified in efw4.X versions prior to 4.08.010. The issue arises in the elfinder_paste function, where the destination parameter (dst) is not properly validated. This lack of validation allows an attacker to copy or move files from the home directory to any arbitrary location by encoding a traversal path in base64. This exploitation bypasses the protected=true security control.

Impact

Exploitation of this vulnerability allows for arbitrary file copying or moving within the application's file system, relative to the storage root. Additionally, it enables remote code execution by copying a web shell to the web application root, where it can be executed.

Reproduction

To reproduce this vulnerability, first upload a JSP web shell to the 'upload' directory within the home directory. Then, send a POST request to the 'efwServlet' endpoint with the 'elfinder_paste' command. Include a base64-encoded traversal path in the 'dst' parameter to specify an arbitrary destination, such as the web application root. After the file is copied, the web shell can be accessed and executed, demonstrating the remote code execution aspect of the vulnerability.

Remediation

Users are advised to update to efw4.X version 4.08.010 or later, where this vulnerability has been patched.