id: drupal7-elfinder-rce

info:
  name: Drupal 7 Elfinder - Remote Code Execution
  author: 1337kro
  severity: critical
  description: |
    Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.
  reference:
    - https://github.com/Kro0oz/drupal-7-elfinder
  remediation: |
    Remove the elfinder library if not needed, or implement proper file upload restrictions and input validation. Additionally, consider implementing Web Application Firewall rules to block access to the connector.php file.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-434
  metadata:
    verified: true
    fofa-query: app="drupal"
    product: Drupal
    vendor: Drupal
  tags: drupal,elfinder,filemanager,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/sites/all/libraries/elfinder/connectors/php/connector.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"cwd":'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b37d98c5276413f62b1fbef683732a44c8d438cba5e4db0ea593f0e74728d6c3022079e7bd1997bb8d771d8d56395f15cee885cdcd149367f00ec93f33ded6ee426b:922c64590222798bb761d5b6d8e72950