To mitigate that risk, these tools implement blocklists of particular extensions and filetypes that must not be uploaded. The most common use case allows uploads of assets like images to the document root. The tool's purpose is to upload files into more or less arbitrary locations. Tools like elFinder do not always have that luxury. Otherwise, an attacker can upload a PHP script and later execute the code by accessing the script from the browser. When it comes to allowing file uploads, there is one critical rule: Do not allow uploads into the document root. The most recent vulnerability, CVE-2021-32682 is a remote code execution vulnerability. SonarSource has a nice blog post with details about the vulnerability. Snyk lists 7, some as recent as June 2021. Over the years, elFinder had several severe vulnerabilities. Once you have elFinder installed, uploading/downloading files to your web server will be a lot easier.īut then there are vulnerabilities. The file manager promises a user experience similar to the "Finder" in macOS. ElFinder is an interesting open-source project implementing a file manager in JavaScript and PHP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |