CVE-2018-1000533
📋 TL;DR
This CVE describes a remote code execution vulnerability in GitList versions ≤0.6 where improperly sanitized user input in the searchTree function allows attackers to execute arbitrary commands as the PHP user. The vulnerability is exploitable via POST requests to the search form. All deployments running vulnerable GitList versions are affected.
💻 Affected Systems
- GitList
📦 What is this software?
Gitlist by Gitlist
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with PHP user privileges, potentially leading to data theft, system manipulation, or lateral movement.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or service disruption.
If Mitigated
Limited impact with proper network segmentation and minimal PHP user privileges, though code execution would still be possible within the web application context.
🎯 Exploit Status
Exploitation requires sending specially crafted POST requests to the search endpoint. Public exploit details and bypass techniques for PHP escapeshellarg/escapeshellcmd are documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7
Vendor Advisory: https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
Restart Required: No
Instructions:
1. Backup current GitList installation. 2. Download GitList version 0.7 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by checking the commit hash includes 87b8c26b023c3fc37f0796b14bb13710f397b322.
🔧 Temporary Workarounds
Disable Search Functionality
allTemporarily disable the search feature to prevent exploitation while patching.
# Modify web server configuration to block POST requests to /search endpoint
# Example for Apache: RewriteRule ^/search$ - [F]
# Example for Nginx: location /search { deny all; }
Input Validation Filter
linuxImplement additional input validation at the web application firewall or application level.
# Example mod_security rule: SecRule ARGS_POST "@rx [;|&`$()]" "id:1000533,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict network access controls to limit GitList access to trusted IPs only.
- Run GitList with minimal PHP user privileges and in a containerized/isolated environment.
🔍 How to Verify
Check if Vulnerable:
Check GitList version by examining the source code or configuration files. If version is ≤0.6, the system is vulnerable.Check Version:
grep -r 'version' /path/to/gitlist/ | grep -i '0\.6\|0\.5\|0\.4' || echo 'Version not found or potentially patched'Verify Fix Applied:
Verify the GitList installation includes commit 87b8c26b023c3fc37f0796b14bb13710f397b322 in the git history or check that the version is ≥0.7.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /search endpoint with shell metacharacters
- PHP error logs showing command execution attempts
- Web server logs with suspicious search parameters
Network Indicators:
- POST requests to GitList search endpoint containing special characters like ;, |, &, `, $, (, )
SIEM Query:
source="web_logs" AND uri_path="/search" AND http_method="POST" AND (user_agent="*curl*" OR user_agent="*wget*" OR params="*;*" OR params="*|*" OR params="*`*" OR params="*$(*")🔗 References
- https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
- https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
- https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
- https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
