cbcvebase.
CVE-2021-43421
published 2022-04-07

CVE-2021-43421: A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.78%
98.5th percentile
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.

Affected

2 ranges
VendorProductVersion rangeFixed in
std42elfinder2.0.4 – 2.1.59
studio-42elfinder>= 2.0.4 < 2.1.602.1.60

Detection & IOCsextracted from sources · hover to see the quote

path/elFinder/php/connector.minimal.php
url/elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa
url/elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}}
url/elfinder/files/{{randstr}}.php%3Aaaa
commandcmd=mkfile&target=l1_Lw&name=<filename>.php:aaa
commandcmd=put&target=<hash>&content=<payload>
  • Detect exploitation attempts by monitoring GET requests to connector.minimal.php with cmd=mkfile and a filename containing '.php:' (NTFS alternate data stream abuse for PHP upload bypass).
  • Detect follow-up write step: GET requests to connector.minimal.php with cmd=put and a content parameter, used to write arbitrary PHP code into the previously created file.
  • Detect webshell access attempts: GET requests to /elfinder/files/ for paths containing '.php%3Aaaa' (URL-encoded colon), indicating execution of the uploaded alternate-data-stream PHP file.
  • The attack is unauthenticated (no credentials required); any source IP can trigger the exploit chain against the exposed connector.minimal.php endpoint.
  • Confirm exploitation by checking if the HTTP response body of the third request (file access) contains the attacker-supplied content string, with HTTP 200 status.
  • Extract the elFinder hash value from JSON responses using the regex pattern '"hash":"(.*?)",' — this hash is used as the target parameter in the subsequent cmd=put write request.
  • ·The exploit uses a three-step HTTP GET chain: (1) mkfile to create a .php:aaa file, (2) put to write PHP content into it, (3) direct GET to execute it. All three steps must succeed for full RCE.
  • ·The vulnerability affects elFinder versions 2.0.4 through 2.1.59 only; version 2.1.60 and above are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.