<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CF Image Hosting Script - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cf-image-hosting-script/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cf-image-hosting-script/feed.xml" rel="self" type="application/rss+xml"/><item><title>CF Image Hosting Script 1.6.5 Unauthenticated Database Download and Remote Image Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-cf-image-hosting-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cf-image-hosting-rce/</guid><description>CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database, extract delete IDs, and delete all pictures via the `d` parameter.</description><content:encoded><![CDATA[<p>CF Image Hosting Script 1.6.5 is vulnerable to an unauthenticated database download vulnerability. An attacker can directly access the <code>imgdb.db</code> file located in the <code>upload/data</code> directory without any authentication. This database contains sensitive information, including delete IDs stored in plaintext. By extracting these IDs, an attacker can then leverage the <code>d</code> parameter in the application to remotely delete any or all images hosted on the platform. The vulnerability was published on April 12, 2026, and could lead to complete image loss and potential denial of service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends an HTTP GET request to <code>/upload/data/imgdb.db</code> to download the database file.</li>
<li>The web server serves the <code>imgdb.db</code> file without authentication.</li>
<li>The attacker downloads the <code>imgdb.db</code> file.</li>
<li>The attacker deserializes or opens the database file to extract delete IDs. These IDs are stored in plaintext within the database.</li>
<li>The attacker crafts a malicious URL containing the <code>d</code> parameter and the extracted delete IDs, for example, <code>index.php?d=delete_id_1,delete_id_2</code>.</li>
<li>The attacker sends the crafted URL to the CF Image Hosting Script server via an HTTP GET request.</li>
<li>The server processes the request and deletes the images associated with the provided delete IDs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to complete image deletion from the CF Image Hosting Script instance. There is no mention of the number of victims. The impact is high, potentially causing significant data loss and disruption of service for users relying on the image hosting. The vulnerability can be exploited remotely without authentication.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor web server access logs for requests to <code>/upload/data/imgdb.db</code> to detect unauthorized database downloads. Deploy the Sigma rule <code>Detect Unauthorized Database Download</code> to identify these events.</li>
<li>Implement access controls to restrict direct access to the <code>/upload/data/</code> directory via the webserver.</li>
<li>Apply a web application firewall (WAF) rule to block requests containing the <code>d</code> parameter with suspicious delete IDs.</li>
<li>Upgrade to a patched version of the CF Image Hosting Script or migrate to a different image hosting solution that addresses this vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve-2019-25709</category><category>image-hosting</category><category>unauthorized-access</category></item></channel></rss>