cbcvebase.
CVE-2019-9194
published 2019-02-26

CVE-2019-9194: elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
96.63%
99.9th percentile
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.

Affected

2 ranges
VendorProductVersion rangeFixed in
std42elfinder< 2.1.482.1.48
studio-42elfinder>= 0 < 2.1.482.1.48

Detection & IOCsextracted from sources · hover to see the quote

path/php/connector.minimal.php
path/php/SecSignal.php
filenameSecSignal.jpg
commandupload cmd with multipart filename containing semicolon shell metacharacters: e.g. SecSignal.jpg;echo <cmd>
commandGET /php/connector.minimal.php?target=<hash>&degree=180&mode=rotate&cmd=resize
commandjpg_fname = "#{fname}.jpg;echo #{stager.unpack('H*').flatten.first} |xxd -r -p |sh& #.jpg"
  • Detect unauthenticated POST requests to /php/connector.minimal.php with multipart filenames containing semicolons or shell metacharacters, indicating command injection via the filename parameter.
  • Detect GET requests to /php/connector.minimal.php with query parameters cmd=resize, mode=rotate, and degree=180 immediately following a suspicious file upload — this is the trigger step for the exiftran command injection.
  • Alert on creation of new .php files in the elFinder /php/ directory or /wp-content/plugins/wp-file-manager/lib/files path, as the exploit drops a PHP webshell there.
  • Monitor for the exiftran process being spawned by the web server user with filenames containing semicolons, pipes, or base64-encoded payloads in the argument list.
  • Check for requests to /php/connector.minimal.php returning HTTP 200 with a JSON body containing 'added' and 'hash' fields from unauthenticated clients — this confirms successful exploitation of the upload step.
  • The PHP connector is not enabled by default; presence of an accessible connector.minimal.php is itself an indicator of misconfiguration and exploitability.
  • ·The vulnerability is only exploitable if the PHP connector (connector.minimal.php) is enabled and accessible; it is not enabled by default in elFinder.
  • ·Exploitation requires the `exiftran` utility to be installed and available in $PATH on the target system; without it, the vulnerable code path is not reached.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.