Numerous critical security vulnerabilities riddled the file manager plugin elFinder. Exploiting these bugs could allow an adversary to take control of the underlying server and access the data. Since the vendors have patched the flaws, users must ensure updating their sites at the earliest.
elFinder File Manager Plugin Vulnerabilities
Researchers from SonarSource have recently elaborated on the vulnerabilities in the elFinder file manager plugin.
elFinder is a typical web file manager plugin for CMS and frameworks. It’s an open-source resource allowing easy management of local and remote files.
Specifically, the researchers found five different critical security flaws in the plugin. All of them have received the same CVE number CVE-2021-32682. Exploiting the bugs could allow an adversary to execute arbitrary PHP codes on the server with vulnerable elFinder.
Without requiring authentication, the adversary could delete, move, or upload arbitrary files via these vulnerabilities. Also, exploiting the flaws could lead to race condition and argument injection.
Technical details of these vulnerabilities are available in the researchers’ post.
Patches Released
Upon discovering the bugs in March 2021, the researchers contacted the developers to report the matter. Eventually, the developers released fixes for all the vulnerabilities with the release of elFinder 2.1.59. The changes are also evident from the changelog on GitHub.
Commenting about the vulnerabilities, the researchers stated,
There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites.
Given the severity of the bugs, if exploited in the wild, and the ease of exploitation, the researchers urge all users to update to the latest patched version at the earliest.
We urge you to immediately upgrade to elFinder 2.1.59. We also advise enforcing strong access control on the connector (e.g. basic access authentication).
Let us know your thoughts in the comments.