Skip to content
This repository has been archived by the owner on Feb 23, 2021. It is now read-only.

Cross-site Scripting Vulnerability - CVE-2014-3988 #40

Closed
jlthames2 opened this issue Jun 16, 2014 · 5 comments
Closed

Cross-site Scripting Vulnerability - CVE-2014-3988 #40

jlthames2 opened this issue Jun 16, 2014 · 5 comments

Comments

@jlthames2
Copy link

Please be advised:

KCFinder is prone to a Cross-site Scripting (XSS) vulnerability. The problem exists because the application does not sanitize the names of files that are web-browsed by users of the server upon which the application is running. HTML and script can be added to the names of files and/or folders. When a user traverses to a location on the server where a file/folder contains embedded HTML/script within its name, then the HTML/script contained within the file name (or folder name) will execute within the user’s browser environment. This XSS is persistent in that the XSS will be triggered for any user who can access the KCFinder application on a server until the affected file/folder is removed or renamed. I have verified that this XSS issue exists in versions 3.11 of KCFinder. Other older versions of KCFinder could be prone to this vulnerability.

Mitre has assigned CVE-2014-3988 to this issue.

The following two images show how the XSS can be triggered. The first image gives an example of a filename that contains script. The second image shows the script in the filename executing in a user's browser.

kcf1
kcf2

@sunhater
Copy link
Owner

Thanx! I'm working on it...

@sunhater
Copy link
Owner

I just published the fix. Please test... It works for me...

@jlthames2
Copy link
Author

Hi,

I am extremely backlogged with work right now...I'll get this tested asap,
hopefully by early next week.

Thanks!

On Fri, Jun 27, 2014 at 2:12 PM, Pavel Tzonkov notifications@github.com
wrote:

I just published the fix. Please test... It works for me...


Reply to this email directly or view it on GitHub
#40 (comment).

@sunhater
Copy link
Owner

sunhater commented Jul 7, 2014

I'm ready to publish new release. Please hurry.

@jlthames2
Copy link
Author

The changes look good to me...I am not able to replicate the previous behavior. I can no longer get the XSS to happen with these changes.

@sunhater sunhater closed this as completed Jul 9, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants