Kalcaddle Kodbox Improper Authentication Vulnerability in Password-Protected Share Handler

An improper authentication vulnerability has been identified in Kalcaddle Kodbox version 1.64. The issue arises in the Password-protected Share Handler, specifically within the 'can' function of 'auth.class.php'. This vulnerability allows authenticated collaborators to bypass folder password requirements when accessing shared folders, enabling direct file downloads from those folders without knowledge of the password. The flaw can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability bypasses the intended folder password protection on shared collaborative folders, allowing unauthorized access to files. This could lead to unauthorized exposure of sensitive documents that are supposed to be protected by the folder password.

Reproduction

To reproduce this vulnerability, an authenticated collaborator must access a shared folder that requires a password. The 'can' function in 'auth.class.php' will skip the password checks for direct file downloads via the 'fileOut' endpoint, allowing the collaborator to download files from the folder without entering the required password. This can be verified by checking the folder password status through the listing endpoint, which will indicate that a password is needed, and then successfully downloading a file using the 'fileOut' endpoint without providing the password.

Remediation

To address this vulnerability, folder password checks should be applied to 'KOD_SHARE_ITEM' paths in the 'can' function. Additionally, folder password enforcement should be centralized to run before all read operations that return file contents, ensuring consistent protection across all relevant endpoints.