Hello, welcome to the Thursday, February 3, 2022 edition of the Sandton and Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

ELFinder is a real neat tool that allows you to get essentially a GU-like experience in the web browser in order to manage files on your

web server.

So you're able to upload, download files.

The overall user interface is a little bit like the Finder in a Mac OS, which gave it

its name, Yel Finder.

There are two parts to the tool, a front end written in JavaScript and a back end written in

PHP, and that back end well has had some issues as recent as July last year.

There were two remote code execution vulnerabilities discovered in the tool. In particular,

the problem here appears to be sort of unrestricted file uploads where an attacker may be able

to upload a file and then execute code. But even just the ability to upload files without actually executing any code can be quite useful to an attacker.

And these last couple of weeks we have seen a marked increase in scans for EL Finder against our honeypots.

The tool comes as a standalone tool, but also as a plug-in to systems like

WordPress and you may not necessarily be aware that you're using ELFinder in those cases.

So do yourself a favor and scan your web server for some of the URLs the attackers are looking

for and double check that if you are using EL Finder, that it's

properly up to date and that it's also properly password protected. These kind of tools are

often used by fissures to then upload phishing pages to websites and basically use your system to also in some cases collect the data that the

phishing pages provide. And if you're using IBM's Spectrum Protect Plus product for backups,

in particular popular, of course, for containers, well, be aware there is a critical update available.

This critical update fixes problems with data tables,

...