CVE-2022-26960
📋 TL;DR
CVE-2022-26960 is a path traversal vulnerability in elFinder's connector.minimal.php that allows unauthenticated attackers to read, write, and browse files outside the configured document root. This affects all systems running vulnerable versions of elFinder, particularly web applications using the file manager component. The vulnerability stems from improper handling of absolute file paths.
💻 Affected Systems
- std42 elFinder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via arbitrary file read/write, leading to sensitive data exposure, code execution, or system takeover.
Likely Case
Unauthorized access to sensitive files (config files, credentials, source code) and potential data exfiltration or modification.
If Mitigated
Limited impact if proper file permissions, web server restrictions, and network segmentation are implemented.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can craft HTTP requests with path traversal payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.61 and later
Vendor Advisory: https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
Restart Required: No
Instructions:
1. Update elFinder to version 2.1.61 or later. 2. Replace the connector.minimal.php file with the patched version. 3. Verify the fix by testing path traversal attempts.
🔧 Temporary Workarounds
Web Server Path Restriction
allConfigure web server (Apache/Nginx) to restrict access to elFinder directories and prevent traversal.
# Apache: Add to .htaccess
<Files "connector.minimal.php">
Require all denied
</Files>
# Nginx: Add to server block
location ~ /elfinder/.*\.php$ {
deny all;
}
File Permission Hardening
linuxSet strict file permissions on sensitive directories outside web root.
chmod 600 /etc/passwd /etc/shadow
chmod 700 /root /home/*
🧯 If You Can't Patch
- Disable or remove elFinder from production systems immediately.
- Implement network segmentation to isolate elFinder instances from sensitive systems.
🔍 How to Verify
Check if Vulnerable:
Check if elFinder version is 2.1.60 or earlier by examining the elFinder directory or composer.json. Test with a path traversal payload: attempt to access /etc/passwd via connector.minimal.php.Check Version:
grep -r "version" elfinder/js/elfinder.full.js | head -1Verify Fix Applied:
After patching, attempt the same path traversal test; it should return an error or be blocked. Verify the elFinder version is 2.1.61+.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to connector.minimal.php with ../ or absolute paths in parameters
- Unusual file access patterns in web server logs (e.g., attempts to read /etc/passwd)
Network Indicators:
- Traffic to elFinder endpoints with path traversal strings in payloads
SIEM Query:
source="web_logs" AND uri="*connector.minimal.php*" AND (uri="*../*" OR uri="*/etc/*")🔗 References
- https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
- https://www.synacktiv.com/publications.html
- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
- https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
- https://www.synacktiv.com/publications.html
- https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
