Execution with Unnecessary Privileges in kalcaddle/kodexplorer

Valid

Reported on

Jun 20th 2021

💥 BUG

direct file url leaked for eml file

💥 IMPACT

user can upload eml file and can share this . After sharing this file , it will leak direct link of this file .
Which allow to download this file even when sharing is disabled .

💥 STEP TO REPRODUCE

1. First goto your kodexplorer admin account and visit desktop .
Now upload a eml file https://github.com/ranjit-git/poc/raw/master/xss3.eml .\

2. Now generate a sharing link like http://localhost/kodexplorer/index.php?share/file&user=1&sid=wC2Fp3qu .\

3. Now as a external user open this sharing link and view page source and it will disclose direct-link http://localhost/kodexplorer/index.php?user/publicLink&fid=966fEXOlEKLb6k4tOduY96nF-gyrYx8z3udZCFaG2wcHj31-50kPgSHN52YVjehqoZ6IJHvMLAdZ5fqFCHatSh7BgAcSTWWYS3WAlsmUvtQDXhDkV3L32WePGck&file_name=/xss3.eml. Now from admin account disabled the sharing .
Finally user can download the file using above leaked url .

So, user can download file even after its disabled .

💥 VIDEO

https://drive.google.com/file/d/1SKAUDA0v25Exru9BuVKPw_vtqmjSNoo7/view?usp=sharing

Occurrences

Downloader.class.php L11

We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

warlee validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

warlee

commented 2 years ago

Maintainer

Setting is like this, Download chain is effective, default does not expire The 'downloadUrlTime' can be set in config /setting..php to make the outer chain expired

warlee marked this as fixed with commit 6d2521 2 years ago

warlee has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation