Miggo Logo
Miggo Vulnerability Database
CVE-2021-36440

CVE-2021-36440: Unrestricted File Upload in ShowDoc v2.9.5

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-36440
GHSA ID
GHSA-c442-3278-rhrg
EPSS Score
0.96952%
CWE
CWE-434
Published
9/9/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
showdoc/showdoccomposer< 2.9.62.9.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the download() function in AdminUpdateController.class.php. The pre-patch version lacked authentication checks (added in commit 49b992d), allowing unauthenticated users to trigger remote file downloads via the 'file_url' parameter. The function then writes the file to disk and extracts its contents without proper validation of the file type/source. This matches CWE-434 (Unrestricted Upload) and aligns with the PoC demonstrating exploitation via a malicious ZIP payload. The patch added authentication guards, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** *il* Uplo** in S*ow*o* v*.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** '*il*_url' p*r*m*t*r in t** *ompon*nt **minUp**t**ontroll*r.*l*ss.p*p'.

Reasoning

T** vuln*r**ility st*ms *rom t** `*ownlo**()` *un*tion in `**minUp**t**ontroll*r.*l*ss.p*p`. T** pr*-p*t** v*rsion l**k** *ut**nti**tion ****ks (***** in *ommit *******), *llowin* un*ut**nti**t** us*rs to tri***r r*mot* *il* *ownlo**s vi* t** '*il*_u