CVE-2018-18934
📋 TL;DR
This vulnerability in PopojiCMS v2.0.1 allows remote attackers to upload and execute arbitrary PHP code via a ZIP file through the admin_component.php interface. The attack can be performed by unauthenticated users and is also exploitable via Cross-Site Request Forgery (CSRF). All PopojiCMS v2.0.1 installations with the vulnerable component enabled are affected.
💻 Affected Systems
- PopojiCMS
📦 What is this software?
Popojicms by Popojicms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, defacement, backdoor installation, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, data exfiltration, and potential ransomware deployment on the web server.
If Mitigated
Attack blocked at perimeter with proper input validation, file upload restrictions, and authentication controls in place.
🎯 Exploit Status
Exploitation is straightforward using ZIP files containing PHP code. The CSRF vector allows exploitation even if the attacker lacks direct access to the admin interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.2 or later
Vendor Advisory: https://github.com/PopojiCMS/PopojiCMS/issues/12
Restart Required: No
Instructions:
1. Download the latest version from the official PopojiCMS repository. 2. Backup your current installation. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the upload functionality.
🔧 Temporary Workarounds
Disable component upload functionality
linuxTemporarily disable or restrict access to the vulnerable admin_component.php file.
mv /path/to/po-admin/route.php /path/to/po-admin/route.php.disabled
chmod 000 /path/to/po-admin/route.php
Implement file upload restrictions
allConfigure web server to block ZIP file uploads to the vulnerable endpoint.
# Add to .htaccess for Apache:
<Files "route.php">
SetEnvIf Request_URI ".*" block_zip
Deny from env=block_zip
</Files>
# Nginx config:
location ~* \.php$ {
if ($request_uri ~* "fupload") {
return 403;
}
}
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing ZIP files to the vulnerable endpoint.
- Restrict network access to the admin interface using IP whitelisting or VPN.
🔍 How to Verify
Check if Vulnerable:
Check if your PopojiCMS version is 2.0.1 and if the po-admin/route.php endpoint accepts ZIP file uploads via the fupload parameter.Check Version:
grep -r "version" /path/to/popojicms/ | grep -i "2.0.1"Verify Fix Applied:
Attempt to upload a ZIP file containing PHP code to the vulnerable endpoint; it should be rejected or the PHP code should not execute.📡 Detection & Monitoring
Log Indicators:
- POST requests to po-admin/route.php with mod=component&act=addnew
- File uploads with .zip extension to admin endpoints
- Execution of unexpected PHP files in upload directories
Network Indicators:
- Unusual outbound connections from web server following ZIP file uploads
- HTTP requests with ZIP file content to admin endpoints
SIEM Query:
source="web_logs" AND (uri="/po-admin/route.php" AND (params="mod=component&act=addnew" OR file_extension=".zip"))