CVE-2018-16771
📋 TL;DR
CVE-2018-16771 is a critical remote code execution vulnerability in Hoosk CMS v1.7.0 that allows attackers to execute arbitrary PHP code by manipulating the SiteUrl parameter during installation. This affects all Hoosk installations using the vulnerable version, potentially giving attackers complete control over affected systems.
💻 Affected Systems
- Hoosk CMS
📦 What is this software?
Hoosk by Hoosk
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Web server compromise leading to data theft, defacement, or use as part of a botnet for further attacks.
If Mitigated
Limited impact if proper network segmentation and web application firewalls are in place, though the vulnerability remains exploitable.
🎯 Exploit Status
Exploitation requires access to the installation process or ability to modify config.php. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.8.0 or later
Vendor Advisory: https://github.com/havok89/Hoosk/issues/46
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download Hoosk v1.8.0 or later from the official repository. 3. Replace all files except config.php and uploads directory. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Secure config.php permissions
linuxRestrict write access to config.php to prevent modification
chmod 644 config.php
chown www-data:www-data config.php
Web Application Firewall rule
allBlock requests attempting to modify or access config.php with malicious parameters
🧯 If You Can't Patch
- Remove write permissions from config.php after installation
- Implement strict input validation and sanitization for all user-controlled parameters
🔍 How to Verify
Check if Vulnerable:
Check if running Hoosk v1.7.0 by examining the version in admin panel or checking composer.jsonCheck Version:
grep -i 'version' composer.json || cat config.php | grep -i 'hoosk'Verify Fix Applied:
Verify version is 1.8.0 or higher and config.php contains proper input validation📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to installation scripts
- Modifications to config.php file
- PHP execution errors with eval() or system() calls
Network Indicators:
- HTTP requests with PHP code in SiteUrl parameter
- Traffic to known malicious IPs from web server
SIEM Query:
source="web_logs" AND (uri="*/install*" AND (param="SiteUrl" AND value MATCHES "php://" OR "system(" OR "eval(")) OR file="config.php" AND action="modify")