CVE-2022-26960: 
PHP vulnerability analysis and mitigation

elFinder through version 2.1.60 is affected by a path traversal vulnerability (CVE-2022-26960) that was discovered in March 2022. This vulnerability allows unauthenticated remote attackers to read, write, and browse files outside the configured document root directory. The issue stems from improper handling of absolute file paths in the connector.minimal.php component (NVD, Synacktiv).

The vulnerability exists in the getFullPath function within elFinderVolumeDriver.class.php, which fails to properly sanitize path traversal sequences. The function uses an incorrect regex pattern (#(/)^/+/../#) for normalizing paths, which allows attackers to bypass directory traversal protections by using double slash sequences (//) followed by ../ patterns. The vulnerability received a CVSS v3.1 score of 9.1 CRITICAL (NVD, Synacktiv).

The vulnerability allows attackers to read, write, and browse files outside the configured document root directory. With appropriate permissions, attackers can perform various actions including searching, uploading files, and browsing parent directories. In some cases, this can lead to remote code execution by modifying critical files such as authorized_keys or crontabs (Synacktiv).

The vulnerability was patched in elFinder version 2.1.61. Organizations should upgrade to this version or later to address the issue. The fix includes improved path validation in the _joinPath function and additional security measures for handling file paths (Synacktiv).