Access Control: Drupal 7 Elfinder - Remote Code Execution¶

Identifier: drupal7_elfinder_rce

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.

Reference:

https://github.com/Kro0oz/drupal-7-elfinder

Configuration¶

Example¶

Example configuration:

---
security_tests:
  drupal7_elfinder_rce:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.