elFinder Archive Command Injection

Discussion in 'News Aggregator' started by Packet Storm, 16 Sep 2021.

  1. Packet Storm

    Packet Storm Guest

    elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.

    Continue reading...
     

Share This Page

Loading...