{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elfinder/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["elFinder"],"_cs_severities":["high"],"_cs_tags":["elFinder","command-injection","imagemagick","webserver"],"_cs_type":"advisory","_cs_vendors":["elFinder"],"content_html":"\u003cp\u003eelFinder, a web file manager, is susceptible to a command injection vulnerability affecting versions prior to 2.1.67. The vulnerability resides within the \u003ccode\u003eresize\u003c/code\u003e command, specifically how the \u003ccode\u003ebg\u003c/code\u003e (background color) parameter is handled when the ImageMagick CLI backend is used for image processing. User-supplied input for the \u003ccode\u003ebg\u003c/code\u003e parameter is not properly sanitized before being incorporated into shell command strings. This allows an attacker to inject arbitrary commands by crafting a malicious \u003ccode\u003ebg\u003c/code\u003e value, resulting in command execution with the privileges of the web server process. This poses a significant risk to web servers running vulnerable elFinder instances, potentially leading to data breaches, system compromise, or denial of service. The vulnerability was addressed in version 2.1.67 by validating the \u003ccode\u003ebg\u003c/code\u003e parameter against a strict allowlist and safely escaping the value.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted HTTP request to an elFinder instance, targeting the \u003ccode\u003eresize\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious \u003ccode\u003ebg\u003c/code\u003e parameter value containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eelFinder processes the request and passes the \u003ccode\u003ebg\u003c/code\u003e parameter to the volume resize handling function.\u003c/li\u003e\n\u003cli\u003eThe application determines that image processing should use the ImageMagick CLI backend.\u003c/li\u003e\n\u003cli\u003eThe application interpolates the unsanitized \u003ccode\u003ebg\u003c/code\u003e parameter value into a shell command string.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters are interpreted by the shell, allowing the attacker to inject arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe system executes the crafted shell command with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, potentially leading to data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server process. The impact depends on the server configuration, enabled commands, the backend image library selection, and any existing deployment controls. A successful attack could lead to complete system compromise, data breaches, or denial of service. While the specific number of affected installations is unknown, this vulnerability presents a high risk due to the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade elFinder to version 2.1.67 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the \u003ccode\u003eresize\u003c/code\u003e command within elFinder's configuration to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eresize\u003c/code\u003e command is needed, avoid using the ImageMagick CLI backend for image processing and use a safer library.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;elFinder Resize Command Injection Attempt\u0026quot; to detect exploitation attempts based on suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e (webserver log source).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual command invocations originating from the web server process, which could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-elfinder-command-injection/","summary":"elFinder is vulnerable to command injection via the 'bg' parameter in the resize command when using the ImageMagick CLI backend, allowing arbitrary command execution as the web server process user.","title":"elFinder Command Injection via ImageMagick CLI in Resize Command","url":"https://feed.craftedsignal.io/briefs/2024-01-02-elfinder-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - ElFinder","version":"https://jsonfeed.org/version/1.1"}