Skip to content ↓ | Skip to navigation ↓

Recently, while fuzzing web applications, I found a stored cross-site scripting (XSS) vulnerability in KCFinder.

KCFinder is a web-based file utility. Essentially, KCFinder allows you to upload and download files using your Web browser. KCFinder can run as a stand-alone, Web-based file utility. However, it can also be integrated into other Web applications that allow its users to interact with the server’s file system.With the many different types of Web services and cloud platforms that exist, file utilities, such as KCFinder, are increasing in popularity.

This particular XSS vulnerability (CVE-2014-3988) in KCFinder existed due to improper sanitization of file and directory (folder) names. This is similar to the XSS vulnerability that I discovered in phpMyAdmin (CVE-2014-1879).

For the KCFinder XSS vulnerability, JavaScipt (or other browser-friendly scripting languages) could be added to the name of uploaded files and folders. When a user browses to a location containing the malicious file names, the JavaScript embedded within the name could perform malicious actions, such as stealing cookies or embedding external scripts. This vulnerability could be used as a stepping stone to launch browser exploits against the victim, creating an exploit chain that gains access to their desktop environment.

This XSS vulnerability was fixed in KCFinder version 3.12. If you are using a version earlier than 3.12 in your environment, I would strongly advise that you update to the latest version.

CVE-2014-3988 and CVE-2014-1879 are two XSS vulnerabilities that I discovered while doing research as a member of Tripwire’s Vulnerability and Exposure Research (VERT) team. In a future blog post, I will differentiate these two XSS vulnerabilities to show how they compare to one another and to show why finding and preventing XSS vulnerabilities will continue to play a very important role in cybersecurity operations.


Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].