CF Image Hosting Script 1.6.5 Unauthenticated Database Download and Remote Image Deletion
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database, extract delete IDs, and delete all pictures via the `d` parameter.
CF Image Hosting Script 1.6.5 is vulnerable to an unauthenticated database download vulnerability. An attacker can directly access the imgdb.db file located in the upload/data directory without any authentication. This database contains sensitive information, including delete IDs stored in plaintext. By extracting these IDs, an attacker can then leverage the d parameter in the application to remotely delete any or all images hosted on the platform. The vulnerability was published on April 12, 2026, and could lead to complete image loss and potential denial of service.
Attack Chain
- An unauthenticated attacker sends an HTTP GET request to
/upload/data/imgdb.dbto download the database file. - The web server serves the
imgdb.dbfile without authentication. - The attacker downloads the
imgdb.dbfile. - The attacker deserializes or opens the database file to extract delete IDs. These IDs are stored in plaintext within the database.
- The attacker crafts a malicious URL containing the
dparameter and the extracted delete IDs, for example,index.php?d=delete_id_1,delete_id_2. - The attacker sends the crafted URL to the CF Image Hosting Script server via an HTTP GET request.
- The server processes the request and deletes the images associated with the provided delete IDs.
Impact
Successful exploitation of this vulnerability leads to complete image deletion from the CF Image Hosting Script instance. There is no mention of the number of victims. The impact is high, potentially causing significant data loss and disruption of service for users relying on the image hosting. The vulnerability can be exploited remotely without authentication.
Recommendation
- Monitor web server access logs for requests to
/upload/data/imgdb.dbto detect unauthorized database downloads. Deploy the Sigma ruleDetect Unauthorized Database Downloadto identify these events. - Implement access controls to restrict direct access to the
/upload/data/directory via the webserver. - Apply a web application firewall (WAF) rule to block requests containing the
dparameter with suspicious delete IDs. - Upgrade to a patched version of the CF Image Hosting Script or migrate to a different image hosting solution that addresses this vulnerability.
Detection coverage 2
Detect Unauthorized Database Download
criticalDetects unauthorized attempts to download the imgdb.db database file.
Detect Image Deletion Attempt via d Parameter
highDetects attempts to delete images using the 'd' parameter in the URL.
Detection queries are available on the platform. Get full rules →