kalcaddle kodbox Path Traversal Vulnerability in fileGet/fileSave Function

A path traversal vulnerability has been identified in kalcaddle kodbox version 1.61.09. The issue arises in the fileGet and fileSave methods within the app/controller/explorer/editor.class.php file. This vulnerability allows remote attackers to manipulate the 'path' argument, potentially leading to arbitrary file read or write operations on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file read or write operations, with the possibility of remote code execution if the written file is executed as a script.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/?explorer/editor/fileGet' endpoint with a 'path' parameter that includes traversal sequences. This will trigger the fileGet() method, allowing the attacker to read arbitrary files from the server. For the fileSave() method, a POST request can be sent to the '/?explorer/editor/fileSave' endpoint with a 'path' parameter that specifies a file to write to, along with the 'content' parameter containing the data to be saved. This can be used to overwrite existing files or create new ones, potentially leading to remote code execution.