Kalcaddle Kodbox Command Injection Vulnerability in Compression Handler

A command injection vulnerability has been identified in Kalcaddle Kodbox versions through 1.61.10. The issue arises in the Compression Handler component, specifically within the file processing of the endpoint '/?explorer/index/zip'. This vulnerability allows remote attackers to inject commands, which could lead to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, potentially leading to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, first register a normal account and log in. Once logged in, upload a file and rename it to include a command injection payload. After renaming the file, use the online compression feature, which will trigger the command execution on the server. For example, a payload could be crafted to download a reverse shell script and execute it, establishing a shell connection back to the attacker's machine.

Remediation

Users are advised to update to Kalcaddle Kodbox version 1.62 or later, where this vulnerability has been patched.