Access Control: Drupal 7 Elfinder - Remote Code Execution¶

Identifier: drupal7_elfinder_rce

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file, potentially leading to remote code execution attacks via PHP file uploads.

How we test: We test for the presence of the vulnerable elfinder component in Drupal sites by attempting to access connector.php files and analyzing responses to detect if unrestricted file upload functionality is exposed.

Reference:

https://github.com/Kro0oz/drupal-7-elfinder

Configuration¶

Example¶

Example configuration:

---
security_tests:
  drupal7_elfinder_rce:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.