Impact
An unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP (see note below) files.
Affected are all versions prior 1.7.1 or commit 90451b7b9380b349c92aa18ade0e2682a6dd2c7a.
Patches
The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served.
Workarounds
As workaround it's possible to block the /uploadimage endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.
For more information
If you have any questions or comments about this advisory:
Credits
Credits go to T. Lambertz who discovered this vulnerability.
Note on PHP and other CGI renderer for webservers
If the uploaded files are directly served by a webserver that interprets code, such as quite common LAMP installations, this exploit maybe allows to run arbitrary code on your backend. This would increase the rating of this vulnerability to critical. But as such a configuration was never advised and is only a theoretical construct at our current knowledge for deployments in the wild, it was ignored as part of the score calculation.
tlambertz Analyst
Impact
An unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP (see note below) files.
Affected are all versions prior 1.7.1 or commit 90451b7b9380b349c92aa18ade0e2682a6dd2c7a.
Patches
The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served.
Workarounds
As workaround it's possible to block the
/uploadimageendpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.For more information
If you have any questions or comments about this advisory:
Credits
Credits go to T. Lambertz who discovered this vulnerability.
Note on PHP and other CGI renderer for webservers
If the uploaded files are directly served by a webserver that interprets code, such as quite common LAMP installations, this exploit maybe allows to run arbitrary code on your backend. This would increase the rating of this vulnerability to critical. But as such a configuration was never advised and is only a theoretical construct at our current knowledge for deployments in the wild, it was ignored as part of the score calculation.