• Home
  • cyber
  • ShowDoc: Critical ShowDoc RCE Vulnerability Active Exploited in the Wild
cyber Vulnerability

ShowDoc: Critical ShowDoc RCE Vulnerability Active Exploited in the Wild

Jan 1, 2020 2 min read
ShowDoc: Critical ShowDoc RCE Vulnerability Active Exploited in the Wild

Critical ShowDoc Vulnerability Exploited in Active Attacks

Threat actors are actively exploiting a severe remote code execution (RCE) vulnerability in ShowDoc, a widely used online document-sharing and collaboration tool for IT teams. Tracked as CNVD-2020-26585, the flaw allows unauthenticated attackers to upload malicious files and execute arbitrary code on vulnerable servers, potentially granting access to sensitive internal documentation and API specifications.

The vulnerability affects ShowDoc versions prior to 2.8.7 and stems from an unrestricted file upload mechanism in the application’s image upload API endpoint (/index.php?s=/home/page/uploadImg). Attackers bypass security filters by manipulating the content disposition header, injecting characters like test.<>php to evade extension validation. A single crafted HTTP POST request can deliver a malicious PHP payload, which, once uploaded, executes with web server privileges.

Security researchers from Vulhub demonstrated the exploit, showing that successful attacks return a direct URL to the uploaded PHP file, enabling full RCE. Publicly available exploit code has increased the risk, with VulnCheck reporting automated scanning and attacks targeting unpatched servers.

Organizations are urged to upgrade to ShowDoc 2.8.7 or later to apply the official patch. Security teams should also review web server logs for suspicious POST requests to the upload endpoint, restrict public access to internal documentation servers, and configure Web Application Firewalls (WAFs) to block malformed file uploads containing executable scripts.

Source: https://cybersecuritynews.com/showdoc-rce-vulnerability-exploited/

The Hacker News cybersecurity rating report: https://www.rankiteo.com/company/thehackernews

"id": "THE1776191095",
"linkid": "thehackernews",
"type": "Vulnerability",
"date": "1/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology/IT Collaboration',
                        'name': 'ShowDoc',
                        'type': 'Software'}],
 'attack_vector': 'Unrestricted file upload via manipulated content '
                  'disposition header',
 'data_breach': {'sensitivity_of_data': 'High (sensitive internal data)',
                 'type_of_data_compromised': 'Internal documentation and API '
                                             'specifications'},
 'description': 'Threat actors are actively exploiting a severe remote code '
                'execution (RCE) vulnerability in ShowDoc, a widely used '
                'online document-sharing and collaboration tool for IT teams. '
                'The flaw allows unauthenticated attackers to upload malicious '
                'files and execute arbitrary code on vulnerable servers, '
                'potentially granting access to sensitive internal '
                'documentation and API specifications.',
 'impact': {'data_compromised': 'Sensitive internal documentation and API '
                                'specifications',
            'operational_impact': 'Potential unauthorized access to internal '
                                  'systems',
            'systems_affected': 'ShowDoc servers (versions prior to 2.8.7)'},
 'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, '
                                                  'implement stricter file '
                                                  'upload validation, deploy '
                                                  'WAF rules',
                            'root_causes': 'Unrestricted file upload mechanism '
                                           "in ShowDoc's image upload API "
                                           'endpoint with insufficient '
                                           'validation'},
 'recommendations': 'Upgrade to ShowDoc 2.8.7 or later, restrict public access '
                    'to internal documentation servers, configure WAFs to '
                    'block malformed file uploads, review web server logs for '
                    'suspicious activity.',
 'references': [{'source': 'Vulhub'}, {'source': 'VulnCheck'}],
 'response': {'adaptive_behavioral_waf': 'Recommended to block malformed file '
                                         'uploads containing executable '
                                         'scripts',
              'containment_measures': 'Upgrade to ShowDoc 2.8.7 or later, '
                                      'review web server logs for suspicious '
                                      'POST requests, restrict public access '
                                      'to internal documentation servers, '
                                      'configure WAFs to block malformed file '
                                      'uploads',
              'enhanced_monitoring': 'Review web server logs for suspicious '
                                     'POST requests to the upload endpoint',
              'remediation_measures': 'Apply official patch (ShowDoc 2.8.7 or '
                                      'later)'},
 'title': 'Critical ShowDoc Vulnerability Exploited in Active Attacks',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CNVD-2020-26585'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.