The CKFinder file manager was found to be exposed without authentication, allowing unauthenticated users to directly access its web interface. Due to this misconfiguration, attackers were able to browse server directories, upload arbitrary files, and manage existing files.
PoC代码[已公开]
id: unauth-ckfinder
info:
name: CKFinder - Unauthenticated Exposure
author: Amjad Ali
severity: high
description: |
The CKFinder file manager was found to be exposed without authentication, allowing unauthenticated users to directly access its web interface. Due to this misconfiguration, attackers were able to browse server directories, upload arbitrary files, and manage existing files.
reference:
- https://cksource.com/ckfinder
- https://owasp.org/Top10/A01_2021-Broken_Access_Control/
metadata:
verified: true
max-request: 1
google-query: inurl:ckfinder/ckfinder.html ext:html
tags: ckfinder,misconfig,unauth,vuln
http:
- method: GET
path:
- "{{BaseURL}}/ckfinder/ckfinder.html"
matchers-condition: and
matchers:
- type: word
words:
- "<title>CKFinder</title>"
- "CKFinderFrameWindow"
- "var ckfinder = new CKFinder"
- "CKFinder.start()"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- "<title>([^<]+)</title>"
# digest: 4a0a0047304502210098077d56223a3072675aeed8efd54309db7395ec70c2ddfee8e8ef63eaa5f87d02207d2bd31eb6c6a7092a8a2471cabb14aa6c419f38edef6f564b29aa24f96378ac:922c64590222798bb761d5b6d8e72950