CVE-2018-19127
published 2018-11-09CVE-2018-19127: A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.77%
97.2th percentile
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpcms | phpcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/data/cache_template/rss.tpl.php
url/type.php?template=tag_(){};echo(md5(999999999));{//../rss
bytes↗
<?php function
- →Monitor GET requests to /type.php containing a 'template' parameter with PHP code or template injection payloads (e.g., containing 'echo', 'md5', or function definitions). ↗
- →Alert on creation or modification of files matching the pattern data/cache_template/*.tpl.php, especially those containing PHP executable code injected via the template parameter. ↗
- →Detect exploitation attempts by checking for subsequent GET requests to /data/cache_template/rss.tpl.php (or similar .tpl.php files) after a suspicious /type.php request — this is the two-step RCE pattern.
- →Use Shodan/FOFA queries to identify exposed PHPCMS 2008 instances: search for 'Powered by phpcms' in HTTP response bodies.
- →The exploit is unauthenticated; no session or login is required. Flag any anonymous/unauthenticated access to /type.php with a non-trivial template parameter.
- ·The controllable filename in the cache path means the attacker can choose the output .tpl.php filename (e.g., 'rss' in rss.tpl.php) via the template parameter path traversal segment ({//../rss), so detection rules should cover wildcard filenames under data/cache_template/, not just 'rss.tpl.php'. ↗
- ·The Nuclei template uses a two-request flow (http(1) OR http(2)), meaning the first request triggers the write and the second verifies execution. Detection logic should correlate both requests rather than treating them independently.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p498-q357-m3p7: A code injection vulnerability in /type
ghsa_unreviewed·2022-05-14
CVE-2018-19127 [CRITICAL] CWE-94 GHSA-p498-q357-m3p7: A code injection vulnerability in /type
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
VulnCheck
phpcms phpcms Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-19127 [CRITICAL] phpcms phpcms Improper Control of Generation of Code ('Code Injection')
phpcms phpcms Improper Control of Generation of Code ('Code Injection')
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
Affected: phpcms phpcms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/New+Waves+of+Scans+Detected+by+an+Old+Rule/24812
No detection rules found.
Nuclei
PHPCMS 2008 - Remote Code Execution via Template Injection
nuclei·CVSS 9.8
CVE-2018-19127 [CRITICAL] PHPCMS 2008 - Remote Code Execution via Template Injection
PHPCMS 2008 - Remote Code Execution via Template Injection
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
Template:
id: CVE-2018-19127
info:
name: PHPCMS 2008 - Remote Code Execution via Template Injection
author: tomaquet18
severity: critical
description: |
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
impact: |
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
remediation: |
The vendor is unresponsive and PHPCMS 2008 is no
No writeups or analysis indexed.
2018-11-09
Published
Exploited in the wild