KCFinder Vulnerabilty

Vulnerability Summary for KCFinder

Thanks to Portcullis security advisories who were kind enough in providing the details and assistance to get the security hole fixed that existed with kcfinder library packaged in earlier version of Vtiger CRM.

Summary: kcfinder was letting the authenticated (logged in) CRM user gain access to readable files outside the web-directory on the server.

Update: The fix devised to kcfinder (at changeset 14021) will restrict access to files outside web-directory on the server now.

this is the patch that fixes the issue

Index: kcfinder/core/browser.php
===================================================================
--- kcfinder/core/browser.php	(revisión: 7055)
+++ kcfinder/core/browser.php	(copia de trabajo)
@@ -286,6 +286,10 @@
         )
             $this->errorMsg("Unknown error.");
 
+		if(!$this->filePathAccessible($file)) {
+			$this->errorMsg("Invalid file location access.");
+		}
+
         header("Pragma: public");
         header("Expires: 0");
         header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
@@ -309,6 +313,10 @@
         )
             $this->errorMsg("Unknown error.");
 
+		if(!$this->filePathAccessible($file)) {
+			$this->errorMsg("Invalid file location access.");
+		}
+
         $newName = trim($this->post['newName']);
         if (!strlen($newName))
             $this->errorMsg("Please enter new file name.");
@@ -335,6 +343,12 @@
 
     protected function act_delete() {
         $dir = $this->postDir();
+
+		$file = "$dir/{$this->post['file']}";
+		if(!$this->filePathAccessible($file)) {
+			$this->errorMsg("Invalid file location access.");
+		}
+
         if ($this->config['readonly'] ||
             !isset($this->post['dir']) ||
             !isset($this->post['file']) ||
@@ -769,6 +783,16 @@
             die($this->output(array('message' => $message), 'error'));
         }
     }
+
+	protected function filePathAccessible($file) {
+		// Ensure the file operation is constrained to the uploadDir configured.
+		$uploadDirPath = realpath($this->config['uploadDir']);
+		$filePath = realpath($file);
+		if (strpos($filePath, $uploadDirPath) !== 0) {
+			return false;
+		}
+		return true;
+	}
 }
 
 ?>
\ No newline at end of file