Execution with Unnecessary Privileges in kalcaddle/kodexplorer

Valid

Reported on

Jun 20th 2021

💥 BUG

any user can download any file

download any kodexplorer uploaded file

1. First goto your kodexplorer admin account and visit desktop .
Now upload a txt file called a.txt to desktop .\

2. Now open another browser and visit http://localhost/kodexplorer/data/User/admin/home/desktop/a.txt to see that file content .

Downloader.class.php L11

We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back 2 years ago

commented 2 years ago

Maintainer

The current setting is like this: users can specify the location of the data directory again, and can specify it outside the web directory.

config/config.php

可以数据目录;移到web目录之外，可以使程序更安全, 就不用限制用户的扩展名权限了;
1. 需要先将data文件夹移到别的地方例如将data文件夹拷贝到D:/
1. 在config文件夹下新建define.php 新增一行 <?php define('DATA_PATH','D:/data/');
注意:路径不能写错;其次php需要有权限访问移动后的目录(设置了防跨站需要关闭) 路径结尾/斜杠绝对不能缺少 */ if(file_exists(BASIC_PATH.'config/define.php')){ include(BASIC_PATH.'config/define.php'); } if(!defined('DATA_PATH')){ define('DATA_PATH',BASIC_PATH .'data/'); //用户数据目录 }

warlee validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

warlee marked this as fixed with commit 54a4dd 2 years ago

warlee has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation