Execution with Unnecessary Privileges in kalcaddle/kodexplorer


Reported on

Jun 20th 2021


direct file url leaked for eml file


user can upload eml file and can share this . After sharing this file , it will leak direct link of this file .
Which allow to download this file even when sharing is disabled .


1. First goto your kodexplorer admin account and visit desktop .
Now upload a eml file https://github.com/ranjit-git/poc/raw/master/xss3.eml .\

2. Now generate a sharing link like http://localhost/kodexplorer/index.php?share/file&user=1&sid=wC2Fp3qu .\

3. Now as a external user open this sharing link and view page source and it will disclose direct-link http://localhost/kodexplorer/index.php?user/publicLink&fid=966fEXOlEKLb6k4tOduY96nF-gyrYx8z3udZCFaG2wcHj31-50kPgSHN52YVjehqoZ6IJHvMLAdZ5fqFCHatSh7BgAcSTWWYS3WAlsmUvtQDXhDkV3L32WePGck&file_name=/xss3.eml. Now from admin account disabled the sharing .
Finally user can download the file using above leaked url .

So, user can download file even after its disabled .



We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back 2 years ago
ranjit-git modified the report
2 years ago
warlee validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


Setting is like this, Download chain is effective, default does not expire The 'downloadUrlTime' can be set in config /setting..php to make the outer chain expired

warlee marked this as fixed with commit 6d2521 2 years ago
warlee has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation