Kalcaddle Kodbox Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability in Kalcaddle Kodbox version 1.64 allows for unrestricted file uploads, which can lead to remote code execution. This issue arises in the Public Share Handler component, specifically within the Add function of the app/controller/explorer/userShare.class.php file. The vulnerability can be exploited by creating a public share link that points to the web server's document root, enabling any user with the share link to upload malicious PHP files that are executed by the server.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution on the server, with the executed code running under the web server user, such as www-data. This could lead to the creation of persistent web shells, modification of files within the web root, and access to sensitive application data and configuration files.

Reproduction

To reproduce this vulnerability, an administrator must first create a public, editable share that points to the real web root directory. Once the share is created, an unauthenticated user can upload PHP files through the share link using the file upload endpoint. After the file is uploaded, it can be executed via a direct HTTP request, leading to remote code execution on the server.

Remediation

To address this vulnerability, it is recommended to disallow public shares on real filesystem paths, prohibit upload and edit permissions for shares on such paths, and implement strict validation of uploaded files to prevent dangerous file types from being executed on the web server.