SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)

The elfinder module provides an AJAX-based file manager based on the elFinder javascript library.

The module doesn’t sufficiently verify requests thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. This would enable an attacker to create, modify, or delete files on the server.

There are no mitigating factors.

CVE identifier(s) issued

• CVE-2013-1972

Versions affected

• elfinder 6.x-0.x versions prior to 6.x-0.8.
• elfinder 7.x-0.x versions prior to 7.x-0.8.

Drupal core is not affected. If you do not use the contributed elFinder file manager module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the elfinder module 0.x for Drupal 6.x, upgrade to elfinder 6.x-0.8 (requires elFinder 1.2 library)
• If you use the elfinder module 0.x for Drupal 7.x, upgrade to elfinder 7.x-0.8 (requires elFinder 1.2 library)

Also see the elFinder file manager project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• Alexey Sukhotin the module maintainer
• Greg Knaddison of the Drupal Security Team
• Fox of the Drupal Security Team

Coordinated by

• Fox of the Drupal Security Team
• David Stoline of the Drupal Security Team