{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/image-hosting/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-25709"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CF Image Hosting Script"],"_cs_severities":["critical"],"_cs_tags":["cve-2019-25709","image-hosting","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["CF Image Hosting Script"],"content_html":"\u003cp\u003eCF Image Hosting Script 1.6.5 is vulnerable to an unauthenticated database download vulnerability. An attacker can directly access the \u003ccode\u003eimgdb.db\u003c/code\u003e file located in the \u003ccode\u003eupload/data\u003c/code\u003e directory without any authentication. This database contains sensitive information, including delete IDs stored in plaintext. By extracting these IDs, an attacker can then leverage the \u003ccode\u003ed\u003c/code\u003e parameter in the application to remotely delete any or all images hosted on the platform. The vulnerability was published on April 12, 2026, and could lead to complete image loss and potential denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP GET request to \u003ccode\u003e/upload/data/imgdb.db\u003c/code\u003e to download the database file.\u003c/li\u003e\n\u003cli\u003eThe web server serves the \u003ccode\u003eimgdb.db\u003c/code\u003e file without authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the \u003ccode\u003eimgdb.db\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker deserializes or opens the database file to extract delete IDs. These IDs are stored in plaintext within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing the \u003ccode\u003ed\u003c/code\u003e parameter and the extracted delete IDs, for example, \u003ccode\u003eindex.php?d=delete_id_1,delete_id_2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted URL to the CF Image Hosting Script server via an HTTP GET request.\u003c/li\u003e\n\u003cli\u003eThe server processes the request and deletes the images associated with the provided delete IDs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to complete image deletion from the CF Image Hosting Script instance. There is no mention of the number of victims. The impact is high, potentially causing significant data loss and disruption of service for users relying on the image hosting. The vulnerability can be exploited remotely without authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003e/upload/data/imgdb.db\u003c/code\u003e to detect unauthorized database downloads. Deploy the Sigma rule \u003ccode\u003eDetect Unauthorized Database Download\u003c/code\u003e to identify these events.\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict direct access to the \u003ccode\u003e/upload/data/\u003c/code\u003e directory via the webserver.\u003c/li\u003e\n\u003cli\u003eApply a web application firewall (WAF) rule to block requests containing the \u003ccode\u003ed\u003c/code\u003e parameter with suspicious delete IDs.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of the CF Image Hosting Script or migrate to a different image hosting solution that addresses this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cf-image-hosting-rce/","summary":"CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database, extract delete IDs, and delete all pictures via the `d` parameter.","title":"CF Image Hosting Script 1.6.5 Unauthenticated Database Download and Remote Image Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-cf-image-hosting-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Image-Hosting","version":"https://jsonfeed.org/version/1.1"}