CVE-2019-19208
published 2020-03-16CVE-2019-19208: Codiad Web IDE through 2.8.4 allows PHP Code injection.
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.24%
97.0th percentile
Codiad Web IDE through 2.8.4 allows PHP Code injection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codiad | codiad | <= 2.8.4 | — |
| codiad | codiad | 0 – 2.8.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /components/install/process.php — the exploit posts a malicious PHP payload via the 'timezone' parameter to inject code into config.php. ↗
- →Detect GET requests to /config.php containing a 'cmd' query parameter, which indicates the injected webshell backdoor is being used for remote command execution. ↗
- →Look for the PHP payload pattern system($_GET["cmd"]) injected into the 'timezone' POST body field during installation requests. ↗
- →The exploit uses X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded headers when posting the malicious payload — correlate these with requests to the install endpoint. ↗
- →The exploit targets unauthenticated access to the install component; alert on any POST to the install process endpoint from external/untrusted sources on a production Codiad instance. ↗
- ·The exploit targets installation paths that vary by OS; defenders should check both /var/www/html/ and /var/www/ for a tampered config.php. ↗
- ·The exploit inserts a 10-second sleep between the injection POST and subsequent command execution, which may affect time-based correlation in SIEM rules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Code injection in codiad
ghsa·2021-09-01
CVE-2019-19208 [CRITICAL] CWE-94 Code injection in codiad
Code injection in codiad
Codiad Web IDE through 2.8.4 allows PHP Code injection.
OSV
Code injection in codiad
osv·2021-09-01
CVE-2019-19208 [CRITICAL] Code injection in codiad
Code injection in codiad
Codiad Web IDE through 2.8.4 allows PHP Code injection.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162753/Codiad-2.8.4-Remote-Code-Execution.htmlhttps://github.com/Codiad/Codiad/commits/masterhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2019-19208-Exploithttps://herolab.usd.de/en/security-advisories/https://herolab.usd.de/security-advisories/usd-2019-0049/https://www.exploit-db.com/exploits/49902http://packetstormsecurity.com/files/162753/Codiad-2.8.4-Remote-Code-Execution.htmlhttps://github.com/Codiad/Codiad/commits/masterhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2019-19208-Exploithttps://herolab.usd.de/en/security-advisories/https://herolab.usd.de/security-advisories/usd-2019-0049/https://www.exploit-db.com/exploits/49902
2020-03-16
Published