kalcaddle/KodExplorer

New Reflected XSS in KodExplorer

Eric1253 opened this issue · 1 comments

Analyse

file: app/template/api/view.html

G.shareInfo = {
    path:"<?php echo $_GET['path'];?>",
    name:"<?php echo get_path_this($_GET['path']);?>",
    mtime:0,
    size:0
}

No any safety check for variable(path), it direct to echo in the page.
Attacker can use this bug to send fish email to administrator and catch the admin's cookie so that control the website.

Poc

http://example.com/index.php?explorer/fileView&path=</script><script>alert(1234)</script>

Screenshots

Local Website Test:

png

thanks for your job. we will fixed it soon.