CVE-2022-1034
📋 TL;DR
CVE-2022-1034 is an unrestricted file upload vulnerability in ShowDoc v2.10.3 that allows attackers to upload malicious files without proper validation. This affects all ShowDoc installations running version 2.10.3 or earlier. Attackers could potentially execute arbitrary code on the server by uploading executable files.
💻 Affected Systems
- ShowDoc
📦 What is this software?
Showdoc by Showdoc
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, file manipulation, and potential privilege escalation.
If Mitigated
File uploads blocked or sanitized, limiting impact to denial of service through storage exhaustion.
🎯 Exploit Status
Exploit requires simple HTTP requests to upload malicious files. Public proof-of-concept available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.10.4
Vendor Advisory: https://github.com/star7th/showdoc/commit/bd792a89c0325836fbd64784f4c4117c0171416b
Restart Required: No
Instructions:
1. Backup your ShowDoc data and configuration. 2. Download ShowDoc v2.10.4 or later from GitHub. 3. Replace the existing installation files with the patched version. 4. Verify the update by checking the version in the admin panel.
🔧 Temporary Workarounds
Web Server File Upload Restriction
allConfigure web server (Apache/Nginx) to block file uploads to vulnerable endpoints
# Nginx example: location ~* \.(php|phtml|sh|exe)$ { deny all; }
# Apache example: <FilesMatch "\.(php|phtml|sh|exe)$"> Order Allow,Deny Deny from all </FilesMatch>
Application Firewall Rules
allImplement WAF rules to block malicious file upload patterns
# Example ModSecurity rule: SecRule FILES_TMPNAMES "@rx \.(php|phtml|sh|exe)$" "id:1001,phase:2,deny,msg:'Malicious file upload attempt'"
🧯 If You Can't Patch
- Implement strict file upload validation at the application layer, allowing only specific safe file types
- Deploy network segmentation to isolate ShowDoc instances and restrict access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check ShowDoc version in admin panel or via package.json file. If version is 2.10.3 or earlier, system is vulnerable.Check Version:
cat /path/to/showdoc/package.json | grep versionVerify Fix Applied:
After patching, attempt to upload a file with dangerous extension (e.g., .php, .exe). Upload should be rejected with proper error message.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to upload endpoints with suspicious file extensions
- Successful uploads of executable files
- Unusual file creation in upload directories
Network Indicators:
- Multiple file upload attempts with different extensions
- POST requests to /server/index.php?s=/api/page/upload
SIEM Query:
source="web_server" method="POST" uri="*upload*" (extension="php" OR extension="exe" OR extension="sh" OR extension="phtml")