Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote file upload vulnerability in ver <= 4.1.12 #249

Open
lcashdol opened this issue Jun 14, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@lcashdol
Copy link

commented Jun 14, 2017

Hello,

It appears there is a remote file upload vulnerability in kindeditor<= 4.1.12 specifically in kindeditor/php/upload_json.php. The file doesn't sanitize user input or check that a user should be uploading arbitrary files to the system.

A simple curl request to kindeditor/php/upload_json.php?dir=file with the data filename=test.html set via POST request is all that's require to exploit this vulnerability:

$ curl -F "imgFile=@test.html" http://example.com/kindeditor/php/upload_json.php?dir=file
{"error":0,"url":"/kindeditor/php/../attached/file/20170613/20170613203236_37481.html"}

@lcashdol lcashdol changed the title Remote file upload vulnerability in ver <= 4.1.11 Remote file upload vulnerability in ver <= 4.1.12 Jun 14, 2017

@attritionorg

This comment has been minimized.

Copy link

commented Jun 17, 2017

Can you then call the file you uploaded? Any restriction on type of file uploaded?

@lcashdol

This comment has been minimized.

Copy link
Author

commented Jun 17, 2017

It appears it doesn't allow .php, phtml, shtml or other executable extensions. You can upload .html and call it as its uploaded to the web server path. But no server side code exec.

@lcashdol

This comment has been minimized.

Copy link
Author

commented Aug 22, 2017

你好,

似乎在kindeditor <= 4.1.12中有一個遠程文件上傳漏洞,專門在kindeditor / php / upload_json.php中。該文件不會消除用戶輸入或檢查用戶是否應該將任意文件上傳到系統。

使用數據文件名= test.html通過POST請求設置的kinderitor / php / upload_json.php?dir =文件的簡單捲曲請求是利用此漏洞所需要的:

$ curl -F“imgFile=@test.html”http://example.com/kindeditor/php/upload_json.php?dir=file
{“錯誤”:0,“URL”:“/ kindeditor / PHP的/../附著/文件/ 20170613 / 20170613203236_37481.html”}

@luolonghao

This comment has been minimized.

Copy link
Member

commented Aug 22, 2017

Hi, upload_json.php is just a demo code, when use KindEditor, please delete the serverside code and use your upload solution.

@lcashdol

This comment has been minimized.

Copy link
Author

commented Aug 22, 2017

I would recommend changing the filename to upload_json.txt so It's not executed on the server.

@luolonghao

This comment has been minimized.

Copy link
Member

commented Aug 22, 2017

upload_json.php includes the following warning message, I think enough. upload PHP file to self server then should be know what happend, it's basic skill for developer.

/**
 * KindEditor PHP
 *
 * 本PHP程序是演示程序,建议不要直接在实际项目中使用。
 * 如果您确定直接使用本程序,使用之前请仔细确认相关安全设置。
 *
 */
/ **
 * KindEditor PHP
 *
 * The PHP program is a demo, it's recommended not to use in the regular project.
 * If you are sure to use this program, please carefully confirm the security settings before use.
 *
 * /
@luolonghao

This comment has been minimized.

Copy link
Member

commented Aug 22, 2017

Hi, I changed filename, a0daa90

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.