Governance & Risk Management , Patch Management

Flaws Found in Open Source elFinder File Manager

Updated Version Patches the Flaws
Flaws Found in Open Source elFinder File Manager
Five flaws create a critical vulnerability chain in elFinder web file manager. (Source: Sonar Source)

Security researchers at SonarSource discovered five vulnerabilities that create a critical vulnerability chain in elFinder, an open source web file manager. An updated version of the manager patches the flaws.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The elFinder file manager is used in content management systems and frameworks, such as WordPress plugins or Symfony bundles, to allow easy operations on both local and remote files. It's written in JavaScript using jQuery UI.

The five vulnerabilities, tracked as a group as CVE-2021-32682, have a CVSS score of 9.8, or extremely critical. The vulnerability chain affects elFinder version 2.1.58. The flaws, if exploited, could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, the researchers say.

Version 2.1.59 of elFinder includes patches for the flaws. Researchers portray the five flaws in the chain as "innocuous bugs" that can be combined to gain arbitrary code execution.

"We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data," researchers note.

Time to Upgrade

Thomas Chauchefoin, vulnerability researcher at SonarSource, recommends that all users immediately upgrade elFinder to the latest version.

While the researchers did not report any known exploits in the wild, Chauchefoin notes: "There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites."

The researchers say that the exploitation of these vulnerabilities can enable an attacker execute arbitrary PHP code on the server where elFinder is installed, ultimately leading to its compromise. Attackers then could delete or remove Arbitrary Files, upload PHP Files,

"All these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products, not only elFinder," Chauchefoin notes.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.