Execution with Unnecessary Privileges in kalcaddle/kodexplorer

Valid

Reported on

Jun 20th 2021


💥 BUG

any user can download any file

💥 IMPACT

download any kodexplorer uploaded file

💥 STEP TO REPRODUCE

1. First goto your kodexplorer admin account and visit desktop .
Now upload a txt file called a.txt to desktop .\

2. Now open another browser and visit http://localhost/kodexplorer/data/User/admin/home/desktop/a.txt to see that file content .

💥 VIDEO POC

https://drive.google.com/file/d/1mLsSddNnCyak_Uspo7op-iGXdgCEPeO5/view?usp=sharing

We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back a year ago
warlee
a year ago

Maintainer


The current setting is like this: users can specify the location of the data directory again, and can specify it outside the web directory.

config/config.php

/*

  • 可以数据目录;移到web目录之外,可以使程序更安全, 就不用限制用户的扩展名权限了;
    1. 需要先将data文件夹移到别的地方 例如将data文件夹拷贝到D:/
    1. 在config文件夹下新建define.php 新增一行 <?php define('DATA_PATH','D:/data/');
  • 注意:路径不能写错;其次php需要有权限访问移动后的目录(设置了防跨站需要关闭) 路径结尾/斜杠绝对不能缺少 */ if(file_exists(BASIC_PATH.'config/define.php')){ include(BASIC_PATH.'config/define.php'); } if(!defined('DATA_PATH')){ define('DATA_PATH',BASIC_PATH .'data/'); //用户数据目录 }
warlee validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
warlee confirmed that a fix has been merged on 54a4dd a year ago
warlee has been awarded the fix bounty
to join this conversation