CVE-2021-23394 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-23394?

CVE-2021-23394 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote attackers to execute arbitrary PHP code on servers running vulnerable versions of elFinder file manager. Attackers can upload malicious .phar files that get executed as PHP code. This affects any system using elFinder versions before 2.1.58 where the server is configured to parse .phar files as PHP.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary PHP code on servers running vulnerable versions of elFinder file manager. Attackers can upload malicious .phar files that get executed as PHP code. This affects any system using elFinder versions before 2.1.58 where the server is configured to parse .phar files as PHP.

💻 Affected Systems

Products:

elFinder

Versions: All versions before 2.1.58

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ✅ No

Notes: Requires server configuration that parses .phar files as PHP. Many PHP installations have this disabled by default.

📦 What is this software?

Elfinder by Std42

View all CVEs affecting Elfinder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, access sensitive data, install backdoors, or pivot to other systems.

🟠

Likely Case

Unauthorized file upload leading to web shell installation, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper file upload restrictions and PHP configuration hardening are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires file upload capability and specific server configuration. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.58 and later

Vendor Advisory: https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1

Restart Required: No

Instructions:

1. Update elFinder to version 2.1.58 or later. 2. Replace the entire elFinder directory with the patched version. 3. Clear any caches if applicable.

🔧 Temporary Workarounds

Disable .phar file execution

all

Configure PHP to not execute .phar files as PHP code

Add to php.ini: phar.readonly = On
Add to .htaccess: RemoveHandler .phar
Add to nginx config: location ~ \.phar$ { deny all; }

Restrict file uploads

all

Configure elFinder to block .phar file uploads

Add to elFinder connector configuration: 'uploadDeny' => array('phar')

🧯 If You Can't Patch

Disable elFinder file upload functionality completely
Implement strict WAF rules to block .phar file uploads and execution attempts

🔍 How to Verify

Check if Vulnerable:

Check elFinder version in source code or composer.json. If version is below 2.1.58, check if server executes .phar files by uploading a test file.

Check Version:

grep -r 'version' elFinder/composer.json or check elFinder/js/elfinder.js for version string

Verify Fix Applied:

Verify elFinder version is 2.1.58 or higher. Test that .phar file uploads are blocked or not executed.

📡 Detection & Monitoring

Log Indicators:

File uploads with .phar extension
PHP execution errors related to .phar files
Unusual file creation in elFinder upload directories

Network Indicators:

HTTP POST requests with .phar file uploads to elFinder endpoints
Subsequent requests to uploaded .phar files

SIEM Query:

source="web_logs" AND (uri="*connector*" AND file_extension="phar") OR (uri="*.phar" AND referer="*elfinder*")

📊 Metadata

CVE ID: CVE-2021-23394

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 13, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/ Exploit,Third Party Advisory
https://github.com/Studio-42/elFinder Third Party Advisory
https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1 Patch,Third Party Advisory
https://github.com/Studio-42/elFinder/issues/3295 Exploit,Issue Tracking,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554 Third Party Advisory
https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/ Exploit,Third Party Advisory
https://github.com/Studio-42/elFinder Third Party Advisory
https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1 Patch,Third Party Advisory
https://github.com/Studio-42/elFinder/issues/3295 Exploit,Issue Tracking,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23394, you might also want to check these: