CVE-2022-0409
📋 TL;DR
CVE-2022-0409 is an unrestricted file upload vulnerability in showdoc documentation software that allows attackers to upload dangerous file types. This could lead to remote code execution or server compromise. All showdoc instances prior to version 2.10.2 are affected.
💻 Affected Systems
- showdoc/showdoc
📦 What is this software?
Showdoc by Showdoc
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server takeover, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, file manipulation, and potential privilege escalation.
If Mitigated
File upload attempts blocked at web application firewall level with no successful exploitation.
🎯 Exploit Status
Exploitation requires only HTTP POST requests with malicious files. Public proof-of-concept available on huntr.dev.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.2
Vendor Advisory: https://github.com/star7th/showdoc/commit/7383d7a3c1b0807b6f397ba7df415a0ce7ccc436
Restart Required: Yes
Instructions:
1. Backup your showdoc data and configuration. 2. Update showdoc to version 2.10.2 or later via composer: 'composer update showdoc/showdoc'. 3. Restart the showdoc service or web server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock file uploads to showdoc endpoints or restrict uploads to specific safe file types only.
# Example nginx location block:
location ~* /showdoc/.*\.(php|phtml|php3|php4|php5|phps|shtml|sh|pl|py|cgi|exe)$ {
deny all;
}
File Upload Directory Restriction
allConfigure web server to prevent execution of uploaded files in upload directories.
# Apache .htaccess:
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$">
ForceType text/plain
</FilesMatch>
# Nginx location block:
location /showdoc/Public/Uploads/ {
deny all;
}
🧯 If You Can't Patch
- Implement strict file upload validation at the web application firewall level
- Disable file upload functionality entirely in showdoc configuration
🔍 How to Verify
Check if Vulnerable:
Check showdoc version via web interface or by examining composer.lock file for showdoc/showdoc version.Check Version:
grep -A2 -B2 'showdoc/showdoc' composer.lock | grep versionVerify Fix Applied:
Verify showdoc version is 2.10.2 or later and test file upload functionality with restricted file types.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /showdoc/index.php?s=/home/page/upload with file uploads
- Uploads of executable file types (.php, .sh, .py) to showdoc directories
- Unusual file creation in showdoc upload directories
Network Indicators:
- HTTP traffic to showdoc upload endpoints with suspicious file types in payloads
- POST requests with Content-Type indicating file upload to showdoc
SIEM Query:
source="web_logs" AND uri_path="/showdoc/index.php" AND uri_query="s=/home/page/upload" AND http_method="POST" AND (content_type="multipart/form-data" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget")