KodExplorer

kalcaddle/KodExplorer (Original Repo) Vulnerabilities

1.CSRF Vulnerability Leading to Admin User Creation in KodExplorer

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in KodExplorer that allows an attacker to create a new administrator user without authentication by tricking a logged-in admin into sending a malicious request.
"X-CSRF-TOKEN" in header and also in cookie are useless and not sanitized in backend.

Using Admin Session to forge request:

Affected Product

• Product: KodExplorer
  
• Versions: 4.52

Vulnerability Type

• Cross-Site Request Forgery (CSRF)
  
• Privilege Escalation

Impact

An attacker can create a new admin account and gain full control over the application with user intraction (victim should submit the button).

Mitigation

(do not use Kodexplorer in publish Envirnoment and try to find more secure alternatives)

Validate CSRF tokens
Validate request origin

2. exposure of sensitive system files/directories

In KodExplorer version 4.52 (and 4.52.01), the demo user (default guest account with credentials demo/demo) can access and list the server's physical root directory (e.g., C:\ on Windows/XAMPP or / on Linux) through the explorer/pathList endpoint.

Impact:

Information disclosure: Reveals the server's directory structure, installed software paths (e.g., xampp, windows, program files), potential config files, logs, or other sensitive system information.
Aids further attacks: Helps attackers map the filesystem for targeted exploitation (e.g., combined with other vulns like unrestricted upload if present).
CVSS estimation: ~5.3–6.5 (Medium) – requires authentication as low-privileged demo user; no read/write access to files observed, traversal (../ or absolute paths) is blocked.

This is happened on xampp and KodExplorer default installation.

Steps to Reproduce

Log in as the default demo user (username: demo, password: demo).
Send a POST request to /index.php?explorer/pathList with an empty or invalid path parameter.

The response JSON from show_json($list) contains the file/folder listing of the server's root filesystem instead of the expected restricted sandbox.

Notes:

Normal users should be restricted to their home/sandbox path. No path traversal possible (sanitization via _DIR() and realpath prevents ../ escapes). Only root listing is exposed; sub-directory navigation fails or falls back to root. Occurs in default installation without custom config changes.

Affected Versions: 4.52 and 4.52.01 (latest release)

Mitigation:

Disable or remove the demo/guest account.
Restrict open_basedir in php.ini to KodExplorer's data directory.