Elfinder Vulnerability Fix for PHP

Elfinder is an open source plugin where users can upload files to your app. However, it has a huge vulnerability that can allow a hacker to upload files to your server. If you are using version 2.1.48 or less, hackers are able to inject scripts into your app when uploading the file to your app. In versions after 2.1.49 or later, hackers are able to upload files but malicious scripts are disabled.

What is the vulnerability? The elfinder can be accessed without authentication by navigating to elfinder’s path in your app. For example, if your elfinder is located at yourURL/vendors/elfinder/elfinder-pick.html, the hacker can go directly to this URL to upload file and documents to your server.

So what can we do about this vulnerability? Luckily, we can easily fix this issue in two steps by creating an additional login to access the elfinder.

  1. Change the name of the “elfinder.html” file to “elfinder.php”
  2. Inside of elfinder.php, paste the following code. Make sure to replace the bolded text for “admin” and “mypassword” to your own.
<pre lang="php">
header('Location: elfinder.php');
if($_POST['username'] =='admin' && $_POST['password'] == 'mypassword'){
$_SESSION['authorized'] = true;
header('Location: elfinder.php');
?><form action='' method='post' autocomplete='off'>
<p>Username: <input type="text" name="username" value=""></p>
<p>Password: <input type="password" name="password" value=""></p>
<p><input type="submit" name="submit" value="Login"></p>
<?php } else { ?><!DOCTYPE html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>File Manager</title>
<!-- jQuery and jQuery UI (REQUIRED) -->
<link rel="stylesheet" type="text/css" media="screen" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/themes/smoothness/jquery-ui.css">
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js"></script>
<!-- elFinder CSS (REQUIRED) -->
<link rel="stylesheet" type="text/css" media="screen" href="css/elfinder.min.css">
<link rel="stylesheet" type="text/css" media="screen" href="css/theme.css">
<!-- elFinder JS (REQUIRED) -->
<script type="text/javascript" src="js/elfinder.min.js"></script>
<!-- elFinder translation (OPTIONAL) -->
<script type="text/javascript" src="js/i18n/elfinder.ru.js"></script>
<!-- elFinder initialization (REQUIRED) -->
<script type="text/javascript" charset="utf-8">
// Helper function to get parameters from the query string.
function getUrlParam(paramName) {
var reParam = new RegExp('(?:[?&]|&amp;)' + paramName + '=([^&]+)', 'i') ;
var match = window.location.search.match(reParam) ;

return (match && match.length > 1) ? match[1] : '' ;
$().ready(function() {
var funcNum = getUrlParam('CKEditorFuncNum');
var elf = $('#elfinder').elfinder({
url : 'php/connector.php',
getFileCallback : function(file) {
window.opener.CKEDITOR.tools.callFunction(funcNum, file);
resizable: false
<p><a href='?logout'>Logout</a></p><!-- Element where elFinder will be created (REQUIRED) -->
<div id="elfinder"></div>
<?php } ?>

3. Since we changed the name of our elfinder file, make sure to change any references (control + shift + f) to elfinder.html to elfinder.php.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store