CF Image Hosting Script Database Access Vulnerability Allowing Unauthorized Deletion of Images

A vulnerability in CF Image Hosting Script version 1.6.5 allows unauthenticated attackers to access and download the application database. The issue arises from the database file, imgdb.db, being publicly accessible in the upload/data directory. Once downloaded, the database can be decoded and deserialized, revealing delete IDs stored in plaintext. Attackers can exploit this information to delete all images by sending requests with the corresponding delete IDs.

Impact

Exploitation of this vulnerability leads to unauthorized access to the application database and allows for the deletion of all images stored by the user.

Reproduction

To reproduce this vulnerability, download the CF Image Hosting Script version 1.6.5 and upload it to a server. Ensure that the server is running and accessible. The vulnerability can be exploited by sending a request to the server that includes the URL to the imgdb.db file in the upload/data directory. This can be done using a web browser or a tool like curl. Once the database is downloaded, it can be decoded and deserialized using a Python script that utilizes the phpserialize library. After extracting the delete IDs, another request can be sent to the server with each ID to delete the corresponding image.