CVE-2021-36440
📋 TL;DR
This vulnerability allows remote attackers to upload arbitrary files to ShowDoc servers, which can lead to remote code execution. Attackers can exploit the 'file_url' parameter in AdminUpdateController.class.php to upload malicious files. All ShowDoc installations running version 2.9.5 or earlier are affected.
💻 Affected Systems
- ShowDoc
📦 What is this software?
Showdoc by Showdoc
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the server, data exfiltration, and lateral movement within the network.
Likely Case
Remote code execution leading to web shell installation, data theft, and potential ransomware deployment.
If Mitigated
File uploads restricted to authorized administrators only with proper file type validation and storage outside web root.
🎯 Exploit Status
Exploit requires minimal technical skill. Public proof-of-concept code is available in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.9.6 and later
Vendor Advisory: https://github.com/star7th/showdoc/issues/1406
Restart Required: No
Instructions:
1. Backup your ShowDoc installation and database. 2. Download the latest version from GitHub. 3. Replace the affected files with patched versions. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit access to the admin panel to trusted IP addresses only
# Configure web server (Apache example)
<Location /server/index.php?s=/api/adminUpdate>
Require ip 192.168.1.0/24
</Location>
# Configure web server (Nginx example)
location ~ /server/index.php\?s=/api/adminUpdate {
allow 192.168.1.0/24;
deny all;
}
Disable File Upload Endpoint
allBlock access to the vulnerable AdminUpdateController endpoint
# Apache .htaccess
RewriteRule ^server/index\.php\?s=/api/adminUpdate.*$ - [F,L]
# Nginx configuration
location ~ /server/index\.php\?s=/api/adminUpdate {
return 403;
}
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing 'file_url' parameter patterns
- Deploy network segmentation to isolate ShowDoc servers from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check ShowDoc version in admin panel or by examining the application files. Version 2.9.5 or earlier is vulnerable.Check Version:
Check the version.txt file in ShowDoc installation directory or view the admin panel dashboard.Verify Fix Applied:
Verify version is 2.9.6 or later. Test the file upload functionality with malicious file types to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /server/index.php?s=/api/adminUpdate with file_url parameter
- Uploads of executable files (.php, .jsp, .asp) to unexpected locations
- Unusual file creation in web directories
Network Indicators:
- POST requests to admin update endpoint from unexpected sources
- File uploads to ShowDoc servers from external IPs
SIEM Query:
source="web_server" AND (uri="/server/index.php?s=/api/adminUpdate" OR post_params CONTAINS "file_url")