CVE-2021-43421
published 2022-04-07CVE-2021-43421: A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.78%
98.5th percentile
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| std42 | elfinder | 2.0.4 – 2.1.59 | — |
| studio-42 | elfinder | >= 2.0.4 < 2.1.60 | 2.1.60 |
Detection & IOCsextracted from sources · hover to see the quote
url/elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa
url/elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}}
url/elfinder/files/{{randstr}}.php%3Aaaa
commandcmd=mkfile&target=l1_Lw&name=<filename>.php:aaa
commandcmd=put&target=<hash>&content=<payload>
- →Detect exploitation attempts by monitoring GET requests to connector.minimal.php with cmd=mkfile and a filename containing '.php:' (NTFS alternate data stream abuse for PHP upload bypass).
- →Detect follow-up write step: GET requests to connector.minimal.php with cmd=put and a content parameter, used to write arbitrary PHP code into the previously created file.
- →Detect webshell access attempts: GET requests to /elfinder/files/ for paths containing '.php%3Aaaa' (URL-encoded colon), indicating execution of the uploaded alternate-data-stream PHP file.
- →The attack is unauthenticated (no credentials required); any source IP can trigger the exploit chain against the exposed connector.minimal.php endpoint.
- →Confirm exploitation by checking if the HTTP response body of the third request (file access) contains the attacker-supplied content string, with HTTP 200 status.
- →Extract the elFinder hash value from JSON responses using the regex pattern '"hash":"(.*?)",' — this hash is used as the target parameter in the subsequent cmd=put write request.
- ·The exploit uses a three-step HTTP GET chain: (1) mkfile to create a .php:aaa file, (2) put to write PHP content into it, (3) direct GET to execute it. All three steps must succeed for full RCE.
- ·The vulnerability affects elFinder versions 2.0.4 through 2.1.59 only; version 2.1.60 and above are patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
elFinder Unrestricted File Upload vulnerability
osv·2022-04-08
CVE-2021-43421 [CRITICAL] elFinder Unrestricted File Upload vulnerability
elFinder Unrestricted File Upload vulnerability
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via `connector.minimal.php`, which allows a remote malicious user to upload arbitrary files and execute PHP code.
GHSA
elFinder Unrestricted File Upload vulnerability
ghsa·2022-04-08
CVE-2021-43421 [CRITICAL] CWE-434 elFinder Unrestricted File Upload vulnerability
elFinder Unrestricted File Upload vulnerability
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via `connector.minimal.php`, which allows a remote malicious user to upload arbitrary files and execute PHP code.
No detection rules found.
Nuclei
Studio-42 elFinder <2.1.60 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-43421 [CRITICAL] Studio-42 elFinder <2.1.60 - Arbitrary File Upload
Studio-42 elFinder <2.1.60 - Arbitrary File Upload
Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
Template:
id: CVE-2021-43421
info:
name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload
author: akincibor
severity: critical
description: |
Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
impact: |
Successful exploitation of this vulnerability could allow an attacker to upload malicious files to the server and execute arbitrary code.
remediation: |
Upgrade to the latest version of Studio-42 elFinder plugin (2.1.60
2022-04-07
Published