Critical vulnerabilities in web file manager elFinder leave servers susceptible to takeover

Immediate triage urged as researchers warn in-the-wild exploitation likely

Critical vulnerabilities in elFinder, the popular open source web file manager, can enable unauthenticated attackers to execute arbitrary PHP code on servers hosting elFinder’s back-end PHP connector.

JavaScript-based elFinder is used to manage local and remote files in conjunction with content management systems and frameworks such as WordPress File Manager and Symfony bundles.

Security researchers have documented five vulnerability chains that combine otherwise “innocuous bugs” to forge exploit chains capable of seizing control of servers.

Other products at risk

Fortunately, the flaws were recently patched. Thomas Chauchefoin, vulnerability researcher at SonarSource, urged users to update their systems as soon as possible.

“There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites,” he said in a blog post.

Read more of the latest infosec research news

“Arbitrary code execution was easily demonstrated, and attackers won’t have much trouble replicating it”, he added.

Worse still, the impact potentially extends well beyond elFinder. “All these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products,” explained Chauchefoin.

The flaws

All rated CVSS 9.8, the flaws include four issues affecting elFinder 2.1.58 that can enable attackers to move or delete arbitrary files, as well as argument injection and race condition bugs (CVE-2021-32682).

Versions before 2.1.58 are also affected by a remote code execution (RCE) bug that is exploited via the execution of PHP code in a file – but only if the server parses files as PHP (CVE-2021-23394).

All five flaws bar the race condition bug affect elFinder in its default ‘safe’ configuration, which was introduced in the wake of in-the-wild attacks targeting the application’s previous configuration, according to Chauchefoin.

The vulnerabilities were reported to the project maintainers on March and patched in version 2.1.59, which was released in June. SonarSource published technical details on August 17.

As well as updating systems, Chauchefoin advises users to enforce strong access control on the connector as an additional security control.

‘Highly security-sensitive’

Chauchefoin expressed hope that the findings from his team’s research would help “break future bug chains and reduce the risk of similar issues”.

He added: “We also learned that working with paths is not easy and that extra measures should be taken: performing additional checks in the ‘low-level’ functions, using and with confidence (and knowing their limits!) and always validating user-controlled data.”

Chauchefoin suggested that web file managers remain a source of concern over security.

“An application’s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities,” he explained.

“This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete file system and expose it to the client’s browser in a transparent way.”

YOU MIGHT ALSO LIKE XSS vulnerability in popular WordPress plugin SEOPress could enable complete site takeover