<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ElFinder - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/elfinder/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/elfinder/feed.xml" rel="self" type="application/rss+xml"/><item><title>elFinder Command Injection via ImageMagick CLI in Resize Command</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-elfinder-command-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-elfinder-command-injection/</guid><description>elFinder is vulnerable to command injection via the 'bg' parameter in the resize command when using the ImageMagick CLI backend, allowing arbitrary command execution as the web server process user.</description><content:encoded><![CDATA[<p>elFinder, a web file manager, is susceptible to a command injection vulnerability affecting versions prior to 2.1.67. The vulnerability resides within the <code>resize</code> command, specifically how the <code>bg</code> (background color) parameter is handled when the ImageMagick CLI backend is used for image processing. User-supplied input for the <code>bg</code> parameter is not properly sanitized before being incorporated into shell command strings. This allows an attacker to inject arbitrary commands by crafting a malicious <code>bg</code> value, resulting in command execution with the privileges of the web server process. This poses a significant risk to web servers running vulnerable elFinder instances, potentially leading to data breaches, system compromise, or denial of service. The vulnerability was addressed in version 2.1.67 by validating the <code>bg</code> parameter against a strict allowlist and safely escaping the value.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker sends a crafted HTTP request to an elFinder instance, targeting the <code>resize</code> command.</li>
<li>The request includes a malicious <code>bg</code> parameter value containing shell metacharacters.</li>
<li>elFinder processes the request and passes the <code>bg</code> parameter to the volume resize handling function.</li>
<li>The application determines that image processing should use the ImageMagick CLI backend.</li>
<li>The application interpolates the unsanitized <code>bg</code> parameter value into a shell command string.</li>
<li>The injected shell metacharacters are interpreted by the shell, allowing the attacker to inject arbitrary commands.</li>
<li>The system executes the crafted shell command with the privileges of the web server process.</li>
<li>The attacker achieves arbitrary code execution on the server, potentially leading to data exfiltration or system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server process. The impact depends on the server configuration, enabled commands, the backend image library selection, and any existing deployment controls. A successful attack could lead to complete system compromise, data breaches, or denial of service. While the specific number of affected installations is unknown, this vulnerability presents a high risk due to the potential for significant damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade elFinder to version 2.1.67 or later to patch the vulnerability.</li>
<li>If upgrading is not immediately feasible, disable the <code>resize</code> command within elFinder's configuration to prevent exploitation.</li>
<li>If <code>resize</code> command is needed, avoid using the ImageMagick CLI backend for image processing and use a safer library.</li>
<li>Deploy the Sigma rule &quot;elFinder Resize Command Injection Attempt&quot; to detect exploitation attempts based on suspicious characters in the <code>cs-uri-query</code> (webserver log source).</li>
<li>Monitor web server logs for unusual command invocations originating from the web server process, which could indicate successful exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>elFinder</category><category>command-injection</category><category>imagemagick</category><category>webserver</category></item></channel></rss>