Immediate triage urged as researchers warn in-the-wild exploitation likely

Critical vulnerabilities in web file folder manager elFinder leave servers susceptible to takeover

UPDATED Critical vulnerabilities in elFinder, the popular open source web file manager, can enable unauthenticated attackers to execute arbitrary PHP code on servers hosting elFinder’s back-end PHP connector.

Security researchers have documented five vulnerability chains that combine otherwise “innocuous bugs” to forge exploit chains capable of seizing control of servers.

Fortunately, the flaws were recently patched. Thomas Chauchefoin, vulnerability researcher at SonarSource, urged users to update their systems as soon as possible.

Read more of the latest infosec research news

“There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites,” he said in a blog post.

“Arbitrary code execution was easily demonstrated, and attackers won’t have much trouble replicating it”, he added.

Other products at risk

Worse still, the impact potentially extends well beyond elFinder. “All these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products,” explained Chauchefoin.

JavaScript-based elFinder, which is used to manage local and remote files, can be included in many frameworks thanks to third-party packages for Laravel and Symfony.

It is also used by WordPress File Manager, which runs on more than 700,000 websites. “But you need an administrator account to reach the connector and to exploit the vulnerabilities we discovered,” Chauchefoin told The Daily Swig.

The flaws

All rated CVSS 9.8, the flaws include four issues affecting elFinder 2.1.58 and below that can enable attackers to move or delete arbitrary files, as well as argument injection and race condition bugs (CVE-2021-32682).

Versions before 2.1.58 are also affected by a remote code execution (RCE) bug that is exploited via the execution of PHP code in a .phar file – but only if the server parses .phar files as PHP (CVE-2021-23394).

All five flaws bar the race condition bug affect elFinder in its default ‘safe’ configuration, which was introduced in the wake of in-the-wild attacks targeting the application’s previous configuration, according to Chauchefoin.

Asked which vulnerability was most interesting or impactful, Chauchefoin cited the argument injection bug in the archive handler. “Argument injections are still everywhere and easy to overlook when reviewing code, but 99% of the time they can be exploited in a way to execute arbitrary commands on the server,” he explained.

This bug class allowed us to compromise most of the PHP supply chain earlier this year so it’s one of my personal favorites.”

The vulnerabilities were reported to the project maintainers on March and patched in version 2.1.59, which was released in June. SonarSource published technical details on August 17.

‘Highly security-sensitive’

Chauchefoin expressed hope that the findings from his team’s research would help “break future bug chains and reduce the risk of similar issues”.

He added: “We also learned that working with paths is not easy and that extra measures should be taken: performing additional checks in the ‘low-level’ functions, using basename() and dirname() with confidence (and knowing their limits!) and always validating user-controlled data.”

Chauchefoin suggested that web file managers remain a source of concern over security.

“An application’s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities,” he explained.

“This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete file system and expose it to the client’s browser in a transparent way.”

This article was updated with comments from Thomas Chauchefoin of SonarSource on August 31.

YOU MIGHT ALSO LIKE XSS vulnerability in popular WordPress plugin SEOPress could enable complete site takeover