CVE-2018-10429 – CVE-2018-10429 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2018-10429?

CVE-2018-10429 has a CVSS score of 9.8 (CRITICAL). CVE-2018-10429 is a critical remote code execution vulnerability in Cosmo CMS that allows attackers to execute arbitrary PHP code during installation. Attackers can inject malicious PHP code through the Database Prefix field in install.php, leading to complete system compromise. This affects all users running Cosmo 1.0.0Beta6 who have not completed installation or have left install.php accessible.

📋 TL;DR

CVE-2018-10429 is a critical remote code execution vulnerability in Cosmo CMS that allows attackers to execute arbitrary PHP code during installation. Attackers can inject malicious PHP code through the Database Prefix field in install.php, leading to complete system compromise. This affects all users running Cosmo 1.0.0Beta6 who have not completed installation or have left install.php accessible.

💻 Affected Systems

Products:

Cosmo CMS

Versions: 1.0.0Beta6

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable during installation phase or if install.php file remains accessible after installation.

📦 What is this software?

Cosmo by Cosmocms

View all CVEs affecting Cosmo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full administrative access, data theft, backdoor installation, and lateral movement to other systems.

🟠

Likely Case

Webshell deployment leading to website defacement, data exfiltration, and use as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if install.php is removed after installation and proper file permissions are set.

🌐 Internet-Facing: HIGH - The vulnerability is in an installation script typically exposed during setup, making internet-facing systems extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable if install.php remains accessible, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to access install.php and inject PHP code in the Database Prefix field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.0.0Beta6

Vendor Advisory: https://github.com/CosmoCMS/Cosmo/issues/405

Restart Required: No

Instructions:

1. Upgrade to latest Cosmo CMS version. 2. If using 1.0.0Beta6, manually delete install.php after installation. 3. Ensure proper input validation is implemented for all installation fields.

🔧 Temporary Workarounds

Remove install.php

all

Delete the vulnerable installation script after successful installation

rm /path/to/cosmo/install.php

Restrict access to install.php

all

Use web server configuration to block access to install.php

# Apache: add to .htaccess
<Files "install.php">
    Order allow,deny
    Deny from all
</Files>
# Nginx: add to server block
location ~ /install\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Immediately delete install.php file from web root after installation
Implement strict input validation and sanitization for all installation form fields

🔍 How to Verify

Check if Vulnerable:

Check if install.php exists in Cosmo installation directory and if Cosmo version is 1.0.0Beta6

Check Version:

Check Cosmo version in configuration files or admin panel

Verify Fix Applied:

Confirm install.php is deleted or inaccessible, and verify Cosmo version is newer than 1.0.0Beta6

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to install.php
Database prefix field containing PHP code patterns
Web server errors related to PHP execution

Network Indicators:

HTTP requests to install.php after installation
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="/install.php" OR uri LIKE "%install.php%") AND (method="POST" OR status_code=200)

📊 Metadata

CVE ID: CVE-2018-10429

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 26, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/CosmoCMS/Cosmo/issues/405 Exploit,Third Party Advisory
https://github.com/CosmoCMS/Cosmo/issues/405 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10429, you might also want to check these: