Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
Description
ZK CKEditor allows file browsing for arbitrary folders.
The attacker can find out filenames on the server, discover folders and other information. Even though in code the "WEB-INF" and "META-INF" paths are "ignored", if they are set as browsing roots, their content is showed*.
The parameter "Type" needs to be changed to "Files", parameter "url" denotes the folder within the webroot.
See live demo here:
https://www.zkoss.org/zkdemo/zkau/web/bb1940f4/ckez/html/browse.zul?Type=Files&url=/WEB-INF/&CKEditor=aLGPn-cnt&CKEditorFuncNum=2&langCode=en
- - limited to extensions as can be seen in the source of ZK CKEditor - .jsp .php etc.