Recently, while fuzzing web applications, I found a stored cross-site scripting (XSS) vulnerability in KCFinder.
KCFinder is a web-based file utility. Essentially, KCFinder allows you to upload and download files using your Web browser. KCFinder can run as a stand-alone, Web-based file utility. However, it can also be integrated into other Web applications that allow its users to interact with the server’s file system.With the many different types of Web services and cloud platforms that exist, file utilities, such as KCFinder, are increasing in popularity.
This particular XSS vulnerability (CVE-2014-3988) in KCFinder existed due to improper sanitization of file and directory (folder) names. This is similar to the XSS vulnerability that I discovered in phpMyAdmin (CVE-2014-1879).
This XSS vulnerability was fixed in KCFinder version 3.12. If you are using a version earlier than 3.12 in your environment, I would strongly advise that you update to the latest version.
CVE-2014-3988 and CVE-2014-1879 are two XSS vulnerabilities that I discovered while doing research as a member of Tripwire’s Vulnerability and Exposure Research (VERT) team. In a future blog post, I will differentiate these two XSS vulnerabilities to show how they compare to one another and to show why finding and preventing XSS vulnerabilities will continue to play a very important role in cybersecurity operations.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].