EraHost – Free Domain, Cheap Hosting!
USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia
AED - United Arab Emirat...United Arab Emirates Dirham
AMD - Armenian Dram
AOA - Angolan Kwanza
ARS - Argentina Peso
AWG - Aruba Guilder
AZN - Azerbaijanian Mana...Azerbaijanian Manat
BAM - Bosnian Convertibl...Bosnian Convertible Marka
BDT - Bangladesh Taka
BGN - Bulgarian Lev
BHD - Bahraini Dinar
BIF - Burundian Franc
BMD - Bermudian Dollar
BND - Brunei Dollar
BOB - Bolivian Boliviano
BRL - Brazilian Real
BSD - Bahamian Dollar
BTN - Bhutanese Ngultrum
BWP - Botswana Pula
BZD - Belize Dollar
CLP - Chilean Peso
CRC - Costa Rican Colon
CVE - Cape Verdean Escud...Cape Verdean Escudo
CZK - Czech Koruna
DJF - Djiboutian Franc
DKK - Danish Krone
DOP - Dominican Peso
DZD - Algerian Dinar
EGP - Egyptian Pound
ETB - Ethiopian Birr
FJD - Fijian Dollar
FKP - Falkland Island Po...Falkland Island Pound
GEL - Georgian Lari
GGP - Guernsey Pound
GHS - Ghanaian Cedi
GMD - Gambian Dalasi
GTQ - Guatemalan Quetzal
GYD - Guyanese Dollar
HKD - Hong Kong Dollar
HNL - Honduran Lempira
HRK - Croatian Kuna
HUF - Hungarian Forint
ILS - Israeli New Shekel
IMP - Isle of Man Pound
ISK - Icelandic Krona
JEP - Jersey Pound
KES - Kenyan Shilling
KGS - Kyrgystani Som
KMF - Comorian Franc
KRW - South Korean Won
KWD - Kuwaiti Dinar
KZT - Kazakhstani Tenge
LAK - Lao Kip
LKR - Sri Lankan Rupee
LRD - Liberian Dollar
LSL - Lesotho Loti
LTL - Lithuanian Litas
LVL - Latvian Lats
MAD - Moroccan Dirham
MDL - Moldovan Leu
MKD - Macedonian Denar
MNT - Mongolian Tugrik
MOP - Macanese Pataca
MRO - Mauritanian Ouguiy...Mauritanian Ouguiya
MUR - Mauritian Rupee
MVR - Maldivian Rufiyaa
MXN - Mexican Peso
MYR - Malaysian Ringgit
MZN - Mozambican Metical
NAD - Namibian Dollar
NIO - Nicaraguan Cordoba...Nicaraguan Cordoba Oro
NOK - Norwegian Krone
NPR - Nepalese Rupee
NZD - New Zealand Dollar
OMR - Omani Rial
PEN - Peruvian Nuevo Sol
PGK - Papua New Guinean...Papua New Guinean Kina
PKR - Pakistani Rupee
PLN - Polish Zloty
PYG - Paraguayan Guarani
QAR - Qatari Riyal
RON - Romanian New Leu
RSD - Serbian Dinar
RWF - Rwandan Franc
SAR - Saudi Riyal
SBD - Solomon Islands Do...Solomon Islands Dollar
SCR - Seychellois Rupee
SEK - Swedish Krona
SGD - Singapore Dollar
SHP - St. Helena Pound
SRD - Surinamese Dollar
SVC - Salvadoran Colon
SZL - Swazi Lilangeni
THB - Thai Baht
TJS - Tajikistani Somoni
TMT - Turkmenistani Mana...Turkmenistani Manat
TND - Tunisian Dinar
TOP - Tongan Pa`anga
TWD - New Taiwan Dollar
UYU - Uruguayan Peso
WST - Samoan Tala
ZMW - Zambian Kwacha
› Блог
› ElFinder Cross-Site Scripting XSS Vulnerability
Cross-Site Scripting (XSS) in elFinder occurs when user input is not properly sanitized, allowing attackers to inject malicious JavaScript into file names, metadata, or responses.
Potential Risks of XSS in elFinder:
An attacker uploads a file with an XSS payload as its name:
Attack Payload:
Telegram Bot
curl -X POST -F "cmd=rename" -F "target=l1_test.txt" -F "name=<script>alert('XSS')</script>" http://yourdomain.com/elfinder/php/connector.phpIf the system is not sanitizing filenames, this script executes when a user views the file list.
If elFinder allows unrestricted access to stored files, an attacker can craft a malicious URL:
http://yourdomain.com/elfinder/files/<script>alert('XSS')</script>.jpgIf Content-Disposition headers are missing, the file may execute instead of downloading.
Some versions of elFinder return unsanitized JSON responses, allowing JavaScript injection:
Exploit:
curl "http://yourdomain.com/elfinder/php/connector.php?cmd=open&target=l1_Lw<script>alert('XSS')</script>"This will inject JavaScript into elFinder's file manager interface.
Edit connector.php and sanitize filenames:
'plugin' => array(
'Sanitizer' => array(
'enable' => true,
'targets' => array('\\', '/', ':', '*', '?', '"', '<', '>', '|', ' '),
'replace' => '_'
)
)This replaces dangerous characters with underscores (_).
Modify connector.php to ensure all input is properly sanitized:
if (isset($_GET['cmd'])) {
$_GET['cmd'] = htmlspecialchars($_GET['cmd'], ENT_QUOTES, 'UTF-8');
}
if (isset($_GET['target'])) {
$_GET['target'] = htmlspecialchars($_GET['target'], ENT_QUOTES, 'UTF-8');
}This prevents script injection through GET parameters.
To block inline JavaScript execution, add this to Apache's .htaccess or Nginx config:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'"This blocks any scripts from running outside your server.
Limit upload types in connector.php:
'uploadAllow' => array('image/png', 'image/jpeg', 'application/pdf'),
'uploadDeny' => array('all'),This prevents uploading malicious JavaScript disguised as .html, .svg, or .php files.
Add the following .htaccess rules in elfinder/files/:
<FilesMatch "\.(html|js|svg|json|php)$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>This ensures files download instead of executing in the browser.
| XSS Vulnerability | Fix |
|---|---|
| Filename XSS | Enable filename sanitization (Sanitizer plugin) |
| URL-based XSS | Use .htaccess to force downloads |
| JSON Response XSS | Sanitize $_GET input in connector.php |
| Stored XSS in Metadata | Use htmlspecialchars() to escape inputs |
| Prevent inline script execution | Use Content Security Policy (CSP) |
Now elFinder is protected against XSS attacks!
USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
RUB - Russian Ruble
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia