CVE-2021-43421 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2021-43421?

CVE-2021-43421 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to upload arbitrary files including PHP scripts to elFinder web file managers, potentially leading to remote code execution. It affects all systems running elFinder versions 2.0.4 through 2.1.59 with the connector.minimal.php endpoint accessible. Attackers can compromise the web server and potentially the underlying system.

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files including PHP scripts to elFinder web file managers, potentially leading to remote code execution. It affects all systems running elFinder versions 2.0.4 through 2.1.59 with the connector.minimal.php endpoint accessible. Attackers can compromise the web server and potentially the underlying system.

💻 Affected Systems

Products:

Studio-42 elFinder

Versions: 2.0.4 to 2.1.59

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in connector.minimal.php endpoint. Any installation with this file accessible via web is vulnerable.

📦 What is this software?

Elfinder by Std42

View all CVEs affecting Elfinder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Web server compromise allowing file system access, data exfiltration, and installation of web shells for ongoing access.

🟢

If Mitigated

File upload blocked or sanitized, preventing malicious file execution while potentially allowing file storage.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication in default configurations.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST requests can exploit this vulnerability. Multiple public proof-of-concept scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.60 and later

Vendor Advisory: https://github.com/Studio-42/elFinder/issues/3429

Restart Required: No

Instructions:

1. Backup current elFinder installation. 2. Download elFinder 2.1.60 or later from GitHub. 3. Replace all elFinder files with patched version. 4. Verify connector.minimal.php is updated.

🔧 Temporary Workarounds

Disable connector.minimal.php

linux

Remove or restrict access to the vulnerable endpoint

mv connector.minimal.php connector.minimal.php.disabled
chmod 000 connector.minimal.php

Web server file type restriction

all

Configure web server to block PHP file uploads

# Apache: Add to .htaccess
<FilesMatch "\.(php|php3|php4|php5|phtml|phar)$">
    Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.php$ {
    deny all;
}

🧯 If You Can't Patch

Implement strict file upload validation: check file extensions, MIME types, and content signatures
Deploy web application firewall (WAF) rules to block file uploads to elFinder endpoints

🔍 How to Verify

Check if Vulnerable:

Check if connector.minimal.php exists in elFinder directory and is accessible via web browser or curl. Test with harmless file upload to verify functionality.

Check Version:

grep -r "elfinder.version" elfinder/js/elfinder.min.js | head -1

Verify Fix Applied:

Attempt to upload a PHP file via connector.minimal.php endpoint - should be rejected. Check elFinder version is 2.1.60+.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to */connector.minimal.php with file upload parameters
Web server logs showing PHP file uploads to elFinder directories
Unusual file creation in elFinder upload directories

Network Indicators:

POST requests with Content-Type: multipart/form-data to elFinder endpoints
Unusual outbound connections from web server following file uploads

SIEM Query:

source="web_server_logs" AND uri="*connector.minimal.php*" AND method="POST" AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2021-43421

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 7, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Studio-42/elFinder/issues/3429 Exploit,Issue Tracking,Third Party Advisory
https://twitter.com/infosec_90/status/1455180286354919425 Third Party Advisory
https://github.com/Studio-42/elFinder/issues/3429 Exploit,Issue Tracking,Third Party Advisory
https://twitter.com/infosec_90/status/1455180286354919425 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43421, you might also want to check these: