Vulnerability Type / Importance: Arbitrary file disclosure / High
Problem Discovered: 12 May 2008
Vendor Contacted: 16 May 2008
Advisory Published: 20 May 2008
Abstract
The CKFinder Ajax file browser is vulnerable to an arbitrary file disclosure vulnerability.
Description
GET https://host/_js/fckeditor/ckfinder/core/connector/php/connector.php?command=DownloadFile&type=Files¤tFolder=../../../../../../../etc/&FileName=passwd HTTP/1.1
The above GET request is called when someone tries to right click and download a file from the CKFinder file listing. If the currentFolder and FileName parameters are modified as above, then a potential attacker is able to view arbitrary operating system files.
Technical Details
Normal input for the currentFolder parameter is the current document root that is being browsed within the CKFinder interface. The currentFolder variable does not sanitize user-supplied input, hence one can escape from the web server document root into the root file system and along with the FileName parameter read operating system files.
Proof of Concept
http://host/ckfinder/core/connector/php/connector.php?command=DownloadFile&type=Files¤tFolder=../../../../../../etc&FileName=passwd
Workaround / Solutions
The vendor has been contacted and as a result CKFinder version 1.2.3 was released which fixes the above vulnerability.
Tested / Affected Versions
Both IRM and the Vendor have confirmed the issue on CKFinder version 1.2.2.
Credits
Research and Advisory: Chris Papathanasiou
Disclaimer
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.