CVE-2019-5884
Description
php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not set.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
elFinder before 2.1.45 leaks information via curl when safe_mode/open_basedir are not set, due to insufficient URL validation.
Vulnerability
The vulnerability resides in php/elFinder.class.php in the get_remote_contents method. In versions before 2.1.45, if PHP's curl extension is enabled and safe_mode or open_basedir is not set, the method uses curl_get_contents without validating the URL. An attacker can supply a malicious URL that causes curl to access internal resources, leading to information leakage. The fix adds a regex check to ensure the URL matches a safe pattern [1][2].
Exploitation
An attacker needs the ability to provide a URL to elFinder, for example via file upload or remote URL fetching features. No authentication is required if the elFinder instance is publicly accessible. The attacker crafts a URL that points to internal services (e.g., file:///etc/passwd or internal IPs) that curl can access. The lack of URL validation allows curl to fetch and return the content, which is then processed by elFinder [2].
Impact
Successful exploitation results in information disclosure. The attacker can read arbitrary files from the server's filesystem or access internal network resources, depending on the curl capabilities. This can expose sensitive data such as configuration files, credentials, or internal service responses [1][2].
Mitigation
The vulnerability is fixed in elFinder version 2.1.45, released on 2019-01-10 [3]. Users should upgrade to this version or later. If upgrading is not immediately possible, disabling the curl extension or setting safe_mode/open_basedir can mitigate the risk, but these are not recommended as long-term solutions. The CVE is not listed in the KEV catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | < 2.1.45 | 2.1.45 |
Affected products
2Patches
1f133163f2d75[php:core:security] fix information leakage vulnerability
1 file changed · +18 −14
php/elFinder.class.php+18 −14 modified@@ -2395,8 +2395,11 @@ protected function abort($args = array()) **/ protected function get_remote_contents(&$url, $timeout = 30, $redirect_max = 5, $ua = 'Mozilla/5.0', $fp = null) { - $method = (function_exists('curl_exec') && !ini_get('safe_mode') && !ini_get('open_basedir')) ? 'curl_get_contents' : 'fsock_get_contents'; - return $this->$method($url, $timeout, $redirect_max, $ua, $fp); + if (preg_match('~^(?:ht|f)tps?://[-_.!\~*\'()a-z0-9;/?:\@&=+\$,%#\*]+~i', $url)) { + $method = (function_exists('curl_exec') && !ini_get('safe_mode') && !ini_get('open_basedir')) ? 'curl_get_contents' : 'fsock_get_contents'; + return $this->$method($url, $timeout, $redirect_max, $ua, $fp); + } + return false; } /** @@ -3037,19 +3040,20 @@ protected function upload($args) list($data, $args['name'][$i]) = $this->parse_data_scheme($url, $extTable, $args); } else { $fp = fopen($tmpfname, 'wb'); - $data = $this->get_remote_contents($url, 30, 5, 'Mozilla/5.0', $fp); - // to check connection is aborted - elFinder::checkAborted(); - $_name = preg_replace('~^.*?([^/#?]+)(?:\?.*)?(?:#.*)?$~', '$1', rawurldecode($url)); - // Check `Content-Disposition` response header - if ($data && ($headers = get_headers($url, true)) && !empty($headers['Content-Disposition'])) { - if (preg_match('/filename\*=(?:([a-zA-Z0-9_-]+?)\'\')"?([a-z0-9_.~%-]+)"?/i', $headers['Content-Disposition'], $m)) { - $_name = rawurldecode($m[2]); - if ($m[1] && strtoupper($m[1]) !== 'UTF-8' && function_exists('mb_convert_encoding')) { - $_name = mb_convert_encoding($_name, 'UTF-8', $m[1]); + if ($data = $this->get_remote_contents($url, 30, 5, 'Mozilla/5.0', $fp)) { + // to check connection is aborted + elFinder::checkAborted(); + $_name = preg_replace('~^.*?([^/#?]+)(?:\?.*)?(?:#.*)?$~', '$1', rawurldecode($url)); + // Check `Content-Disposition` response header + if ($data && ($headers = get_headers($url, true)) && !empty($headers['Content-Disposition'])) { + if (preg_match('/filename\*=(?:([a-zA-Z0-9_-]+?)\'\')"?([a-z0-9_.~%-]+)"?/i', $headers['Content-Disposition'], $m)) { + $_name = rawurldecode($m[2]); + if ($m[1] && strtoupper($m[1]) !== 'UTF-8' && function_exists('mb_convert_encoding')) { + $_name = mb_convert_encoding($_name, 'UTF-8', $m[1]); + } + } else if (preg_match('/filename="?([ a-z0-9_.~%-]+)"?/i', $headers['Content-Disposition'], $m)) { + $_name = rawurldecode($m[1]); } - } else if (preg_match('/filename="?([ a-z0-9_.~%-]+)"?/i', $headers['Content-Disposition'], $m)) { - $_name = rawurldecode($m[1]); } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jcgc-vxqg-85xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5884ghsaADVISORY
- github.com/Studio-42/elFinder/commit/f133163f2d754584de65d718b2fde96191557316ghsax_refsource_MISCWEB
- github.com/Studio-42/elFinder/releases/tag/2.1.45ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.