CVE-2024-38909

Vulnerability

Overview

Studio 42 elFinder version 2.1.64 is vulnerable to an incorrect access control issue. The root cause is that the file manager does not properly validate file extensions when copying files between server directories. This oversight allows an attacker to copy files with unauthorized extensions, bypassing intended access restrictions [1].

Exploitation

An attacker can exploit this vulnerability without authentication, as elFinder is often exposed on public servers. The attack requires network access to the elFinder web interface. By abusing the copy operation, an attacker can transfer files with disallowed extensions (e.g., PHP, executable scripts) into web-accessible directories. This can be done through direct HTTP requests to elFinder's connector or via the client-side UI if available [2][4].

Impact

Successful exploitation can lead to exposure of sensitive server secrets (e.g., configuration files, database credentials) and remote code execution (RCE). If an attacker uploads a malicious script with a now-allowed extension and executes it, they can gain full control over the server [1][4].

Mitigation

Studio 42 has not released a specific patch for this CVE, but the project's advisory strongly urges all users of versions 2.1.67 or earlier to update to the latest version or remove elFinder from public servers to prevent serious damage [2]. Administrators should ensure they are running the most recent release and apply strict file-upload and copy restrictions as a workaround.