Advisory about vulnerability of CVE 2018 9109 and CVE 2018 9110 - Studio-42/elFinder GitHub Wiki

Advisory about vulnerability of CVE-2018-9109 and CVE-2018-9110

Overview

A directory traversal vulnerability in the zipdl command exists in the PHP connector of elFinder version 2.1.12 to 2.1.35 and 2.1.36 (Windows server). Users installing the corresponding version on the server must take the following countermeasures.

Plan a

Upgrade to elFinder version 2.1.36 or 2.1.37 (Windows server) or higher.

Plan b

If upgrade shown in Plan a is impossible, Please modify the zipdl() function of elFinder.class.php code as follows at your own risk.

// 2nd: Return array contains opened file pointer, root itself and required headers
if (count($targets) !== 4 || ($volume = $this->volume($targets[0])) == false) {
    return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$file = $targets[1];

TO

// 2nd: Return array contains opened file pointer, root itself and required headers
if (count($targets) !== 4 || ($volume = $this->volume($targets[0])) == false) {
    return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$file = $targets[1];
// checking the validity of the file parameter
if (strpos(str_replace('/', DIRECTORY_SEPARATOR, $file), DIRECTORY_SEPARATOR) !== false) {
    return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}

Severity - based on CVSS v3

CVSS Score: 7.7

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What could an attacker do with this vulnerability?

  1. An attacker can download and delete any files on the server under PHP execution privilege.

Reviewer of this vulnerability

Ravindra Rajaram [email protected] and Kevin Kotas [email protected]