search

Studio-42 / elFinder

📁 Open-source file manager for web, written in JavaScript using jQuery and jQuery UI
https://studio-42.github.io/elFinder/
Other
4.6k stars 1.41k forks source link

Using .php8 in PHP handler leading to RCE #3615

Closed passtheticket closed 6 months ago

passtheticket commented 7 months ago

Describe the bug There is no restriction for uploading the file with the .php8 extension. I encountered this situation during penetration testing of a website that uses the elFinder. In some environments, .php8 can be executed as PHP. Especially, when the PHP is updated from a lower version to 8.x, the .php8 can be added to the .htaccess file for PHP handling like:

For PHP 8.0:
AddHandler application/x-httpd-ea-php80 .php .php8 .phtml
For PHP 8.1:
AddHandler application/x-httpd-ea-php81 .php .php8 .phtml

In another case, .php8 can be executed as PHP according to following the Apache configuration.

<FilesMatch ".+\.ph(p[7-8]?|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

To Reproduce Steps to reproduce the behavior:

  1. Select arbitrary png file to upload.
  2. Capture request with Burp and set content as test<?php phpinfo();?>
  3. Set filename like test.php8
  4. After forwarding the request, the file is successfully uploaded under the files directory

Expected behavior I think that the php8 can be added to the staticMineMap array in the elFinderVolumeDriver class.

Screenshots 1 2

nao-pon commented 6 months ago

@passtheticket Thank you for your report. I will fix this. Until a fixed version is released, elFinder administrators can work around this issue by using 'additionalMimeMap' in the roots configuration, as follows:

'roots' => array(
    // Items volume
    array(
        'additionalMimeMap' => array(
            'php8:*' => 'text/x-php',
            'php9:*' => 'text/x-php'
        ),
        'driver'        => 'LocalFileSystem',           // driver for accessing file system (REQUIRED)
        'path'          => '../files/',                 // path to files (REQUIRED)
        'URL'           => dirname($_SERVER['PHP_SELF']) . '/../files/', // URL to files (REQUIRED)
        'trashHash'     => 't1_Lw',                     // elFinder's hash of trash folder
        'winHashFix'    => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
        'uploadDeny'    => array('all'),                // All Mimetypes not allowed to upload
        'uploadAllow'   => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain'), // Mimetype `image` and `text/plain` allowed to upload
        'uploadOrder'   => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only
        'accessControl' => 'access'                     // disable and hide dot starting files (OPTIONAL)
    ),