elFinder Archive Command Injection
Posted by deepcore on September 15, 2021 – 10:30 pm
elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.
Post a reply
You must be logged in to post a comment.