Elfinder Vulnerability Fix for PHP

Elfinder is an open source plugin where users can upload files to your app. However, it has a huge vulnerability that can allow a hacker to upload files to your server. If you are using version 2.1.48 or less, hackers are able to inject scripts into your app when uploading the file to your app. In versions after 2.1.49 or later, hackers are able to upload files but malicious scripts are disabled.

What is the vulnerability? The elfinder can be accessed without authentication by navigating to elfinder’s path in your app. For example, if your elfinder is located at yourURL/vendors/elfinder/elfinder-pick.html, the hacker can go directly to this URL to upload file and documents to your server.

So what can we do about this vulnerability? Luckily, we can easily fix this issue in two steps by creating an additional login to access the elfinder.

  1. Change the name of the “elfinder.html” file to “elfinder.php”
  2. Inside of elfinder.php, paste the following code. Make sure to replace the bolded text for “admin” and “mypassword” to your own.
<pre lang="php">
<?php
session_start();
if(isset($_GET['logout'])){
session_destroy();
header('Location: elfinder.php');
exit();
}
if(!isset($_SESSION['authorized'])){if(isset($_POST['submit'])){
if($_POST['username'] =='admin' && $_POST['password'] == 'mypassword'){
$_SESSION['authorized'] = true;
header('Location: elfinder.php');
exit();
}
}
?><form action='' method='post' autocomplete='off'>
<p>Username: <input type="text" name="username" value=""></p>
<p>Password: <input type="password" name="password" value=""></p>
<p><input type="submit" name="submit" value="Login"></p>
</form>
<?php } else { ?><!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>File Manager</title>
<!-- jQuery and jQuery UI (REQUIRED) -->
<link rel="stylesheet" type="text/css" media="screen" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/themes/smoothness/jquery-ui.css">
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js"></script>
<!-- elFinder CSS (REQUIRED) -->
<link rel="stylesheet" type="text/css" media="screen" href="css/elfinder.min.css">
<link rel="stylesheet" type="text/css" media="screen" href="css/theme.css">
<!-- elFinder JS (REQUIRED) -->
<script type="text/javascript" src="js/elfinder.min.js"></script>
<!-- elFinder translation (OPTIONAL) -->
<script type="text/javascript" src="js/i18n/elfinder.ru.js"></script>
<!-- elFinder initialization (REQUIRED) -->
<script type="text/javascript" charset="utf-8">
// Helper function to get parameters from the query string.
function getUrlParam(paramName) {
var reParam = new RegExp('(?:[?&]|&amp;)' + paramName + '=([^&]+)', 'i') ;
var match = window.location.search.match(reParam) ;

return (match && match.length > 1) ? match[1] : '' ;
}
$().ready(function() {
var funcNum = getUrlParam('CKEditorFuncNum');
var elf = $('#elfinder').elfinder({
url : 'php/connector.php',
getFileCallback : function(file) {
window.opener.CKEDITOR.tools.callFunction(funcNum, file);
window.close();
},
resizable: false
}).elfinder('instance');
});
</script>
</head>
<body>
<p><a href='?logout'>Logout</a></p><!-- Element where elFinder will be created (REQUIRED) -->
<div id="elfinder"></div>
</body>
</html>
<?php } ?>

3. Since we changed the name of our elfinder file, make sure to change any references (control + shift + f) to elfinder.html to elfinder.php.

--

--

--

HTML, JavaScript, and CSS Tutorials

Recommended from Medium

Do Back-of-the-Envelope Calculations in Place

Glitch now has more apps than Apple’s App Store — 2.5 million of them

How Could a Bug Bash Benefit You?

Automatic Chapter Detection Using AI and Python

Kafka vs. Rabbitmq

What is Data Serialization?

Hello World!

Building An Engaging Way To Engage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lance Watanabe

Lance Watanabe

More from Medium

Cookies With PHP

INTRODUCTION TO PHP

Laravel vs. NodeJS: Compare the most Demanding Back-End Web Framework

Configuring Laravel 7 For Use With PhpRedis using Homestead