Advisory about vulnerability of CVE 2018 9109 and CVE 2018 9110
Naoki Sawada edited this page Mar 29, 2018
·
3 revisions
A directory traversal vulnerability in the zipdl command exists in the PHP connector of elFinder version 2.1.12 to 2.1.35 and 2.1.36 (Windows server). Users installing the corresponding version on the server must take the following countermeasures.
Upgrade to elFinder version 2.1.36 or 2.1.37 (Windows server) or higher.
If upgrade shown in Plan a is impossible, Please modify the zipdl() function of elFinder.class.php code as follows at your own risk.
// 2nd: Return array contains opened file pointer, root itself and required headers
if (count($targets) !== 4 || ($volume = $this->volume($targets[0])) == false) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$file = $targets[1];TO
// 2nd: Return array contains opened file pointer, root itself and required headers
if (count($targets) !== 4 || ($volume = $this->volume($targets[0])) == false) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$file = $targets[1];
// checking the validity of the file parameter
if (strpos(str_replace('/', DIRECTORY_SEPARATOR, $file), DIRECTORY_SEPARATOR) !== false) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}CVSS Score: 7.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- An attacker can download and delete any files on the server under PHP execution privilege.
Ravindra Rajaram ravindra.rajaram@ca.com and Kevin Kotas kevin.kotas@ca.com