Vulnerabilities Detected in Open Source elFinder File Manager

 

In elFinder, an open-source web file organizer, security researchers from SonarSource identified five flaws that form a severe vulnerability chain.

The elFinder file manager is often used in content management systems and frameworks like WordPress plugins and Symfony bundles to make it easier to manage both local and remote files. It's written in JavaScript with the use of jQuery UI. 

The five flaws, termed CVE-2021-32682 as a group, have a CVSS score of 9.8, which means they're highly dangerous. The vulnerability chain impacts elFinder version 2.1.58. 

According to the researchers, exploiting the vulnerabilities may allow an intruder to run arbitrary code and instructions on the server hosting the elFinder PHP connector. The vulnerabilities have been patched in elFinder version 2.1.59. The five weaknesses in the chain are classified by researchers as "innocuous bugs" that may be combined to acquire arbitrary code execution. 

The researchers noted, "We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data." 

Update to the latest version:

According to Thomas Chauchefoin, the security researcher at SonarSource, all users should immediately upgrade elFinder to the latest upgrade. 

"There is no doubt these vulnerabilities will also be exploited in the wild because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites." 

While the researchers did not announce any publicly available exploits, they claim that exploiting these issues can allow an attacker to run arbitrary PHP code on the server where elFinder is installed, eventually leading to its takeover. Attackers could then delete or remove any files they want, upload PHP files, and so on. 

"All these bug classes are very common in software that exposes filesystems to users and are likely to impact a broad range of products, not only elFinder," Chauchefoin added.