Execution with Unnecessary Privileges in kalcaddle/kodexplorer

Valid

Reported on

Jun 20th 2021


💥 BUG

direct file url leaked for eml file

💥 IMPACT

user can upload eml file and can share this . After sharing this file , it will leak direct link of this file .
Which allow to download this file even when sharing is disabled .

💥 STEP TO REPRODUCE

1. First goto your kodexplorer admin account and visit desktop .
Now upload a eml file https://github.com/ranjit-git/poc/raw/master/xss3.eml .\

2. Now generate a sharing link like http://localhost/kodexplorer/index.php?share/file&user=1&sid=wC2Fp3qu .\

3. Now as a external user open this sharing link and view page source and it will disclose direct-link http://localhost/kodexplorer/index.php?user/publicLink&fid=966fEXOlEKLb6k4tOduY96nF-gyrYx8z3udZCFaG2wcHj31-50kPgSHN52YVjehqoZ6IJHvMLAdZ5fqFCHatSh7BgAcSTWWYS3WAlsmUvtQDXhDkV3L32WePGck&file_name=/xss3.eml. Now from admin account disabled the sharing .
Finally user can download the file using above leaked url .

So, user can download file even after its disabled .

💥 VIDEO

https://drive.google.com/file/d/1SKAUDA0v25Exru9BuVKPw_vtqmjSNoo7/view?usp=sharing

We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back a year ago
ranjit-git modified the report
a year ago
warlee validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
warlee
a year ago

Maintainer


Setting is like this, Download chain is effective, default does not expire The 'downloadUrlTime' can be set in config /setting..php to make the outer chain expired

warlee confirmed that a fix has been merged on 6d2521 a year ago
warlee has been awarded the fix bounty
to join this conversation