Path Traversal in kalcaddle/kodexplorer

Valid

Reported on

Jun 13th 2021

✍️ Description

KodExplorer A web-based file manager, web IDE/browser-based code editor. I discovered that by uploading a symbolic linked file via any user, he/she could see any file in the server which causes Path Traversal vulnerability.

🕵️‍♂️ Proof of Concept

Create a file by the following command ln -s /etc/passwd test
Upload that file from any user.
Open and view the file, you can see the system passwd file.

💥 Impact

Any user can view any system file via symlink files.

Recommendation

unlink the files during file upload.

Occurrences

explorer.class.php L1206

warlee

commented 2 years ago

Maintainer

When the soft connection file is uploaded, the real file has already been uploaded

warlee validated this vulnerability 2 years ago

x3rz has been awarded the disclosure bounty

The fix bounty is now up for grabs

warlee marked this as fixed with commit 6d2521 2 years ago

warlee has been awarded the fix bounty

This vulnerability will not receive a CVE

x3rz

commented 2 years ago

Researcher

Thank you for the fix Can you please have a look on this one also https://www.huntr.dev/bounties/11-kalcaddle/KodExplorer/

to join this conversation

warlee

commented 2 years ago

Maintainer

When the soft connection file is uploaded, the real file has already been uploaded

warlee validated this vulnerability 2 years ago

x3rz has been awarded the disclosure bounty

The fix bounty is now up for grabs

warlee marked this as fixed with commit 6d2521 2 years ago

warlee has been awarded the fix bounty

This vulnerability will not receive a CVE

x3rz

commented 2 years ago

Researcher

Thank you for the fix Can you please have a look on this one also https://www.huntr.dev/bounties/11-kalcaddle/KodExplorer/

to join this conversation