Flaws Found in Open Source elFinder File ManagerUpdated Version Patches the Flaws
Security researchers at SonarSource discovered five vulnerabilities that create a critical vulnerability chain in elFinder, an open source web file manager. An updated version of the manager patches the flaws.
The five vulnerabilities, tracked as a group as CVE-2021-32682, have a CVSS score of 9.8, or extremely critical. The vulnerability chain affects elFinder version 2.1.58. The flaws, if exploited, could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, the researchers say.
Version 2.1.59 of elFinder includes patches for the flaws. Researchers portray the five flaws in the chain as "innocuous bugs" that can be combined to gain arbitrary code execution.
"We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data," researchers note.
Time to Upgrade
Thomas Chauchefoin, vulnerability researcher at SonarSource, recommends that all users immediately upgrade elFinder to the latest version.
While the researchers did not report any known exploits in the wild, Chauchefoin notes: "There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites."
The researchers say that the exploitation of these vulnerabilities can enable an attacker execute arbitrary PHP code on the server where elFinder is installed, ultimately leading to its compromise. Attackers then could delete or remove Arbitrary Files, upload PHP Files,
"All these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products, not only elFinder," Chauchefoin notes.