CVE-2022-27115
📋 TL;DR
CVE-2022-27115 is a remote code execution vulnerability in elFinder file manager that allows attackers to bypass file upload restrictions by manipulating file names. This affects all systems running vulnerable versions of elFinder with file upload functionality enabled. Attackers can execute arbitrary code on the server with the privileges of the web server process.
💻 Affected Systems
- Studio-42 elFinder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, install malware, steal data, pivot to internal networks, and establish persistent access.
Likely Case
Webshell deployment leading to data theft, credential harvesting, and use of the server for further attacks.
If Mitigated
Limited impact if proper file upload restrictions, input validation, and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires authenticated access to elFinder interface. Multiple public proof-of-concept exploits exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.61 and later
Vendor Advisory: https://github.com/Studio-42/elFinder/releases/tag/2.1.61
Restart Required: No
Instructions:
1. Backup current elFinder installation. 2. Download elFinder 2.1.61 or later from GitHub. 3. Replace vulnerable files with patched version. 4. Verify file permissions remain secure. 5. Test file upload functionality.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable file upload functionality in elFinder configuration
Edit elFinder configuration to set 'uploadAllow' to empty array []
Restrict file extensions
allConfigure elFinder to only allow specific safe file extensions
Set 'uploadAllow' to ['image/jpeg', 'image/png', 'application/pdf'] in configuration
🧯 If You Can't Patch
- Implement strict WAF rules to block malicious file upload attempts
- Isolate elFinder instance in separate container or VM with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check elFinder version in source code or configuration files. Versions below 2.1.61 are vulnerable.Check Version:
grep -r 'elfinder' /path/to/webroot | grep -i versionVerify Fix Applied:
Verify version is 2.1.61 or higher and test file upload with malicious filenames is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload attempts with special characters in filenames
- Multiple failed upload attempts followed by successful PHP file upload
- Web server process spawning unexpected child processes
Network Indicators:
- HTTP POST requests to elFinder upload endpoint with suspicious filenames
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_logs" AND uri="/elfinder/connector" AND (filename="*.php" OR filename="*.php5" OR filename="*.phtml")