id: elfinder-version

info:
  name: elFinder 2.1.58 - Remote Code Execution
  author: idealphase
  severity: critical
  description: elFinder 2.1.58 is vulnerable to remote code execution. This can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration.
  remediation: The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
  reference:
    - https://github.com/Studio-42/elFinder/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 2
  tags: tech,elfinder,oss

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/elfinder.min.js"
      - "{{BaseURL}}/js/elFinder.version.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "elFinder - file manager for web"
          - "elFinder.prototype.version ="
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - '\* Version (.+) \('
          - "elFinder.prototype.version = '([0-9.]+)';"

# digest: 4a0a0047304502203fd42f01a45120d89be9dbccf02f4640a8984cb9e3354cfc80b84bd9e7f0b1c1022100b7a056d3efbf71d6eca1b3c8b3536b6bb31863d3092564f71ac5fadb59197072:922c64590222798bb761d5b6d8e72950