An Unexpectedly Straight-Forward Directory Traversal in elFinder due to Bad Regex
A directory traversal issue, the root of it is a flawed regex and replace: #(/)[^\/]+/\.\./#
. This regex will match on directory/../
and once matched its replaced with the first match group (/
). So basically it performs the traversal itself and normalizes the path, always a red-flag to do this adhoc. The bypass was pretty simple, it is specifically looking for one or more non /
characters, followed by a /../
. So by providing //../
it won’t match because the parent directory has no non /
characters.
Unfortunately for the Synactiv team, the most straight-forward case was mitigated in the most recent versions of elFinder. As using a relative file path would pass through the _joinPath
function which resolved the file using realpath
. So even though this later check might not catch the //../
such things would get resolved before reaching there. That said, absolute paths were still an option, but this required the start of the path begin with the sandboxed directory for the application. This might be guessable in some situations like /var/www
or it might need to be disclosed with another vulnerability. Regardless, providing a path that matches the expected root, followed by standard traversal would work.