CVE-2021-23394: 
PHP vulnerability analysis and mitigation

The package studio-42/elfinder before version 2.1.58 is vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. This vulnerability, tracked as CVE-2021-23394, was discovered in March 2021 and affects installations where the server parses .phar files as PHP (Sonar Blog, CVE Details).

The vulnerability exists due to insufficient validation of file extensions and MIME types in the file upload functionality. While elFinder implements a blocklist for dangerous file types, it failed to include .phar files in this list. On Apache HTTP 2.4.46-1ubuntu1 and similar configurations, .phar files are treated as application/x-httpd-php and are executed as PHP code. This oversight allows attackers to bypass the security measures by uploading malicious PHP code within .phar files (Sonar Blog).

The successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected server, potentially leading to complete server compromise. The vulnerability is particularly severe as it can be exploited without authentication in the default configuration (Sonar Blog).

The vulnerability was fixed in elFinder version 2.1.58 by adding 'phar:*' => 'text/x-php' to the staticMineMap configuration, preventing the upload of .phar files. Users are strongly recommended to upgrade to version 2.1.59 or later. Additionally, implementing strong access control on the connector (e.g., basic access authentication) is advised as an extra security measure (Sonar Blog).