cbcvebase.
CVE-2018-7662
published 2018-03-04

CVE-2018-7662: Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php.

PriorityP350medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
43.52%
98.6th percentile
Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
couchcmscouch<= 2.0

Detection & IOCsextracted from sources · hover to see the quote

path/includes/mysql2i/mysql2i.func.php
othermysql2i.func.php on line 10
otherFatal error: Cannot redeclare mysql_affected_rows() in
otherphpmailer.php on line 10
  • Send a direct unauthenticated HTTP GET request to /includes/mysql2i/mysql2i.func.php; a vulnerable CouchCMS instance will return a PHP fatal error string disclosing the full server path.
  • Send a direct unauthenticated HTTP GET request to /addons/phpmailer/phpmailer.php; a vulnerable CouchCMS instance will return a PHP fatal error string disclosing the full server path.
  • Match response body for both 'mysql2i.func.php on line 10' AND 'Fatal error: Cannot redeclare mysql_affected_rows() in' to confirm exploitation of the mysql2i path disclosure vector.
  • Match response body for both 'phpmailer.php on line 10' AND 'Fatal error: Call to a menber function add_event_listener() on a non-object in' to confirm exploitation of the phpmailer path disclosure vector.
  • ·The vulnerability only triggers if PHP is configured to display errors (display_errors = On); hardened production servers with error display disabled will not return the path disclosure response strings.
  • ·The Nuclei template uses stop-at-first-match, so only one of the two paths needs to return a positive match for the check to succeed; both paths should be tested independently in manual assessments.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.