Хостинг от ERA Host
EraHost – Free Domain, Cheap Hosting!
Client Area
Support 24/7
USD

Select Currency

USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia
AED - United Arab Emirat...United Arab Emirates Dirham
AMD - Armenian Dram
AOA - Angolan Kwanza
ARS - Argentina Peso
AWG - Aruba Guilder
AZN - Azerbaijanian Mana...Azerbaijanian Manat
BAM - Bosnian Convertibl...Bosnian Convertible Marka
BDT - Bangladesh Taka
BGN - Bulgarian Lev
BHD - Bahraini Dinar
BIF - Burundian Franc
BMD - Bermudian Dollar
BND - Brunei Dollar
BOB - Bolivian Boliviano
BRL - Brazilian Real
BSD - Bahamian Dollar
BTN - Bhutanese Ngultrum
BWP - Botswana Pula
BZD - Belize Dollar
CLP - Chilean Peso
CRC - Costa Rican Colon
CVE - Cape Verdean Escud...Cape Verdean Escudo
CZK - Czech Koruna
DJF - Djiboutian Franc
DKK - Danish Krone
DOP - Dominican Peso
DZD - Algerian Dinar
EGP - Egyptian Pound
ETB - Ethiopian Birr
FJD - Fijian Dollar
FKP - Falkland Island Po...Falkland Island Pound
GEL - Georgian Lari
GGP - Guernsey Pound
GHS - Ghanaian Cedi
GMD - Gambian Dalasi
GTQ - Guatemalan Quetzal
GYD - Guyanese Dollar
HKD - Hong Kong Dollar
HNL - Honduran Lempira
HRK - Croatian Kuna
HUF - Hungarian Forint
ILS - Israeli New Shekel
IMP - Isle of Man Pound
ISK - Icelandic Krona
JEP - Jersey Pound
KES - Kenyan Shilling
KGS - Kyrgystani Som
KMF - Comorian Franc
KRW - South Korean Won
KWD - Kuwaiti Dinar
KZT - Kazakhstani Tenge
LAK - Lao Kip
LKR - Sri Lankan Rupee
LRD - Liberian Dollar
LSL - Lesotho Loti
LTL - Lithuanian Litas
LVL - Latvian Lats
MAD - Moroccan Dirham
MDL - Moldovan Leu
MKD - Macedonian Denar
MNT - Mongolian Tugrik
MOP - Macanese Pataca
MRO - Mauritanian Ouguiy...Mauritanian Ouguiya
MUR - Mauritian Rupee
MVR - Maldivian Rufiyaa
MXN - Mexican Peso
MYR - Malaysian Ringgit
MZN - Mozambican Metical
NAD - Namibian Dollar
NIO - Nicaraguan Cordoba...Nicaraguan Cordoba Oro
NOK - Norwegian Krone
NPR - Nepalese Rupee
NZD - New Zealand Dollar
OMR - Omani Rial
PEN - Peruvian Nuevo Sol
PGK - Papua New Guinean...Papua New Guinean Kina
PKR - Pakistani Rupee
PLN - Polish Zloty
PYG - Paraguayan Guarani
QAR - Qatari Riyal
RON - Romanian New Leu
RSD - Serbian Dinar
RWF - Rwandan Franc
SAR - Saudi Riyal
SBD - Solomon Islands Do...Solomon Islands Dollar
SCR - Seychellois Rupee
SEK - Swedish Krona
SGD - Singapore Dollar
SHP - St. Helena Pound
SRD - Surinamese Dollar
SVC - Salvadoran Colon
SZL - Swazi Lilangeni
THB - Thai Baht
TJS - Tajikistani Somoni
TMT - Turkmenistani Mana...Turkmenistani Manat
TND - Tunisian Dinar
TOP - Tongan Pa`anga
TWD - New Taiwan Dollar
UYU - Uruguayan Peso
WST - Samoan Tala
ZMW - Zambian Kwacha
Menu
EraHost – Free Domain, Cheap Hosting!
Хостинг от ERA Host
  • Registration
  • 24/7 Support
    24/7 Support
На главную  ›  Блог  ›  ElFinder Vulnerabilities Security Risks

ElFinder Vulnerabilities – Security Risks & Fixes

Contents: What is elFinder? Common ElFinder Vulnerabilities & Exploits Additional Security Measures Summary of Fixes
ElFinder Vulnerabilities Security Risks and Fixes

What is elFinder?

elFinder is an open-source web-based file manager written in JavaScript, widely used in CMS platforms, hosting panels, and web applications. However, poor configuration can expose serious security risks.

Common ElFinder Vulnerabilities & Exploits

Unauthorized File Uploads

  • Attackers can upload malicious PHP scripts (shell.php), leading to server compromise.
  • Some versions of elFinder allow unrestricted file uploads due to missing authentication checks.

Example Exploit:

curl -X POST -F "cmd=upload" -F "target=l1_Lw" -F "upload[]=@shell.php" http://yourdomain.com/elfinder/php/connector.php

Risk: This can lead to remote code execution (RCE).

Fix:

  • Restrict upload types in connector.php: 
    'uploadAllow' => array('image/png', 'image/jpeg', 'application/pdf'),
'uploadDeny'  => array('all'),
  • Disable direct access to PHP files in upload folders: 
    <Directory /var/www/html/elfinder/files>
    <FilesMatch "\.php$">
        Deny from all
    </FilesMatch>
</Directory>

Authentication Bypass

  • Old versions of elFinder (before 2.1.57) allowed unauthorized users to access connector.php, exposing sensitive files.

Example Exploit:

curl http://yourdomain.com/elfinder/php/connector.php?cmd=open

Risk: Anyone can browse your server files.

Fix:

  • Enable authentication in connector.php: 
    'bind' => array(
    'upload.pre' => array(
        'Plugin.Sanitizer.cmdUploadPre',
        'Plugin.Authentication.cmdPre',
    )
),
  • Restrict access using .htaccess: 
    <Files "connector.php">
    Require all denied
</Files>

Arbitrary File Read (LFI)

  • Vulnerable versions allow Local File Inclusion (LFI), exposing config files (wp-config.php, .env, database.php).

Example Exploit:

curl "http://yourdomain.com/elfinder/php/connector.php?cmd=file&target=l1_L2NvbmZpZy5waHA"

Risk: Attackers can steal database credentials.

Fix:

  • Disable direct file access: 
    <FilesMatch "(config\.php|\.env|database\.php)">
    Require all denied
</FilesMatch>
  • Upgrade to the latest elFinder version.

Cross-Site Scripting (XSS)

  • If filenames are not sanitized, attackers can inject JavaScript.

Example Exploit:

curl -X POST -F "cmd=rename" -F "target=l1_test.txt" -F "name=<script>alert('XSS')</script>" http://yourdomain.com/elfinder/php/connector.php

Risk: Session hijacking, stealing cookies, redirecting users.

Fix:

  • Enable elFinder’s built-in filename sanitizer: 
    'plugin' => array(
    'Sanitizer' => array(
        'enable' => true,
        'targets' => array('\\', '/', ':', '*', '?', '"', '<', '>', '|', ' '),
        'replace' => '_'
    )
)
  • Use Content Security Policy (CSP) to prevent execution of injected scripts.

Additional Security Measures

Restrict ElFinder to Authorized Users

  • Use Basic Auth for extra security: 
    <Directory /var/www/html/elfinder>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>

Remove elFinder After Use

  • If elFinder is no longer needed, delete it: 
    rm -rf /var/www/html/elfinder

Summary of Fixes

Vulnerability Fix
Unrestricted file uploads Restrict file types, disable PHP execution
Authentication bypass Restrict connector.php, enable authentication
Arbitrary file read (LFI) Block sensitive files using .htaccess
Cross-Site Scripting (XSS) Enable filename sanitization, use CSP

Keep elFinder updated & restrict access to prevent exploits!

Hosting

Cloud Solution

For You

VDS

Website Builders


Our services

Client Area

Contact

ICANN
18+ Service. By continuing to use this website, you agree to the use of cookies. More detailed information can be found on the "What are cookies"page.

Выберите валюту

USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
RUB - Russian Ruble
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia
© 2006 - 2026 EraHost. All rights reserved