Exploit for kleeja-auth-bypass-rce-cve

Name: Exploit for kleeja-auth-bypass-rce-cve
Rating: 5 (2 reviews)
2026-06-28 | CVSS 6.2
## https://sploitus.com/exploit?id=0F3EE27D-82BD-5360-995F-969C90DCAD0F
# GitHub Security Advisory: Kleeja File Sharing — Critical Auth Bypass via Cookie Forgery + PHP Object Injection

---

## Advisory Information

| Field | Value |
|-------|-------|
| **Severity** | Critical |
| **CWE** | CWE-502 (Deserialization) / CWE-287 (Auth Bypass) / CWE-327 (Weak Cryptography) |
| **CVSS v3.1** | 9.8 (Cookie Forgery + Deserialization) / 8.8 (.htaccess Bypass RCE) |
| **CVSS Vector** | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

---

## Summary

Kleeja (191 stars, PHP file sharing application) contains critical vulnerabilities: (1) Authentication bypass via cookie forgery — the cookie "encryption" is a trivially reversible substitution cipher, and the decrypted cookie is passed to `unserialize()` enabling PHP Object Injection, (2) The `$group_id` in the cookie is attacker-controlled, allowing privilege escalation to admin, (3) PHP execution prevention in `.htaccess` fails on PHP 7+/FPM setups, (4) File upload content validation is trivially bypassed.

---

## Vulnerability Details

### Affected Package/Repository

- **Repository:** `kleeja-official/kleeja`
- **Affected Versions:** Current
- **Patched Version:** N/A (0-day)
**Commit Hash (audited):** `48e42911e1c0b13c5754a154e8d510ebf84e7880`

---

## CVE-REQUEST-001: Auth Bypass + PHP Object Injection via Cookie (CVSS 9.8)

**File:** `includes/usr.php`, lines 420-437 (cookie parsing), 348-390 (encryption)

**Vulnerable Cookie Creation (line 144):**
```php
$user_y = base64_encode(serialize([
    'id' => $row['id'], 'name' => $row['name'], 
    'mail' => $row['mail'], 'last_visit' => $row['last_visit']
]));
```

**Vulnerable Cookie Parsing (lines 420-437):**
```php
list($user_id, $hashed_password, $expire_at, $hashed_expire, $group_id, $u_info) = 
    @explode('|', $this->en_de_crypt($this->kleeja_get_cookie('ulogu'), 2));

// ...
$userinfo = unserialize(base64_decode($u_info));  // PHP OBJECT INJECTION!
$userinfo['group_id'] = $group_id;                 // GROUP FROM COOKIE!
define('GROUP_ID', $userinfo['group_id']);         // ATTACKER-CONTROLLED
```

**Encryption Weakness (lines 348-390):**
```php
function en_de_crypt($data, $type = 1) {
    $chars = str_split($config['h_key']);
    foreach (range('a', 'z') as $k => $v) {
        if (!isset($chars[$k])) break;
        $txt[$v] = $chars[$k] . $k . '-';
    }
    // Simple character substitution cipher, not encryption
}
```

The `en_de_crypt()` function is NOT encryption — it's a character substitution cipher. At most 26 characters are substituted. An attacker who registers an account, receives a cookie, and observes the mapping can reverse-engineer the key and forge cookies with `group_id=1` (admin).

**Attack Vector:**
1. Register a user account → receive a cookie
2. Base64-decode the cookie → observe the substitution pattern
3. Forge a cookie with `$group_id=1` (admin group)
4. Set `$u_info` to a crafted serialized PHP object → trigger objection injection via POP gadgets

---

## CVE-REQUEST-002: .htaccess Bypass — PHP Execution on PHP 7+/FPM (CVSS 8.8)

**File:** `uploads/.htaccess`

```apache

php_flag engine off          # ONLY for mod_php5!

```

On PHP 7.x, 8.x, or any FPM/FastCGI setup, `mod_php5.c` does NOT exist, so `php_flag engine off` never runs. PHP execution is enabled. Combined with file upload bypasses, an uploaded `.php` file is executable.

**Additional .htaccess bypass in extension check:**
```php
// includes/up_helpers/others.php, lines 23-48
$tmp = explode('.', $filename);
if (sizeof($tmp)  6MB (CVSS 7.8)

**File:** `includes/up_helpers/others.php`, lines 259-280

```php
// Files > 6MB SKIP content check entirely
if (@filesize($file_path) > 6*(1000*1024)) {
    return true;
}

// Incomplete PHP code detection blacklist:
$maybe_bad_codes_are = [' 6MB → content validation skipped
2. Use `` → not in blacklist
3. Use short tags `` → not in blacklist

---

## Additional Findings (22 total):

| # | Vulnerability | CVSS | Auth |
|---|--------------|------|------|
| H-2 | Auth bypass via cookie group_id elevation | 8.6 | No |
| M-1 | IDOR: no ownership check on file downloads | 6.5 | No |
| M-2 | Open redirect in login | 6.1 | No |
| M-3 | CSRF on file delete (GET-based) | 6.5 | No |
| M-4 | Weak delete code generation (sha1+uniqid) | 5.3 | Yes |
| M-5 | Upload progress session data leak | 5.3 | No |
| M-6 | Arbitrary PHP write via plugins_rules.php | 6.5 | Admin |
| M-7 | ZIP path traversal in plugin/style extraction | 6.3 | Admin |
| M-8 | Weak CSRF token (valid for entire hour) | 5.0 | No |
| M-9 | Deserialization in search filter | 5.0 | Admin |
| M-10 | User enumeration via timing | 4.3 | No |
| M-11 | Username dot injection for path traversal | 4.0 | No |
| L-1 | Error handler leaks file paths | 3.3 | No |
| L-2 | MIME type falls back to user input | 3.1 | No |
| L-3 | Debug query disclosure | 3.3 | Admin |

---

## Impact

- **Full account takeover** via cookie forgery (any user → admin)
- **Remote Code Execution** via PHP Object Injection (POP gadgets from mPDF/Smarty)
- **RCE via file upload** on PHP 7+/FPM setups
- **Arbitrary file access** via IDOR (enumerate all file IDs)
- **Data breach** via .htaccess upload → read all files

---

## Patches / Fix

1. Replace substitution cipher with AES-256-GCM or HMAC-based cookie signing
2. Add `['allowed_classes' => false]` to ALL `unserialize()` calls
3. Do NOT parse `group_id` from cookie — derive it from database on every request
4. Update `.htaccess` for PHP 7+/FPM: add ``
5. Fix extension check to handle all filename patterns
6. Remove 6MB content check bypass — scan ALL files regardless of size
7. Add ownership check on file downloads
8. Replace `sha1(uniqid())` with `random_bytes()` for delete codes

---

## Disclosure Timeline

- **2026-06-28:** All 22 vulnerabilities discovered by Fatullayev Asadbek (Kimdir01)
- **TBD:** Reported to maintainer
- **TBD:** CVEs requested via GitHub
- **TBD:** Advisories published

---

## Credits

- Discovered by: Fatullayev Asadbek | GitHub: Kimdir01
- Independent security researcher

---

## References

- CWE-502: Deserialization of Untrusted Data
- CWE-287: Improper Authentication
- CWE-327: Use of Broken/Risky Cryptographic Algorithm
- CWE-434: Unrestricted Upload of Dangerous File Type