The media browser elFinder is a convenient way to manage image files. It's available with popular software such as the Symfony framework. The elFinder software consists of JavaScript code that runs on the browser and backend components written in PHP. The latter includes server-side connectors for expanding its capabilities.
A serious vulnerability in elFinder was discovered in 2019. It was quickly fixed, but we still find a lot of attempts to exploit it. The vulnerable version is still widely used. According to the report on GitHub: "The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not validated, allowing shell metacharacters."
In brief, a browser request could invoke the executable file connector.minimal.php on the server without any authorization. It was just necessary to specify the file path in a POST request along with the appropriate parameters.
The initial concern after discovering the vulnerability was that it would let visitors vandalize a website. They could perform unauthorized operations on files or upload new ones. An image could be turned upside-down. It could be shrunk to invisibility or blown up to obscure a whole page.
However, it quickly became clear that this was the least of the problems. If a site let users upload arbitrary files, they could do serious damage. The trick was to create a shell script code in a file and give it a .JPG extension. The attacker could then make the connector run the script.
Attackers have used this to deposit a small downloader on the server. It serves as a backdoor for downloading malware files. Many websites are still affected. Patching the software won't remove any backdoors that have already been installed.
The malicious POST request uploads a file called, for example, SecSignal.jpg but its content isn't JPEG data. It's a shellcode script. Its content is like this: