CVE-2018-9847
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary PHP code on Gxlcms QY systems by injecting malicious code into templates through the update function. It affects all installations of Gxlcms QY v1.0.0713 with the vulnerable component enabled. Attackers can gain complete control of affected systems.
💻 Affected Systems
- Gxlcms QY
📦 What is this software?
Gxlcms Qy by Gxlcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, lateral movement within network, and persistent backdoor installation.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, and server takeover.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking malicious template uploads, and restricted admin access.
🎯 Exploit Status
Exploitation requires admin access to the template update function. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check for official patch from Gxlcms vendor
2. If no patch available, upgrade to newer version if exists
3. Apply manual code fixes to validate template inputs
4. Remove or restrict access to vulnerable TplAction.class.php file
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to admin panel to trusted IP addresses only
# Configure web server (Apache example)
# In .htaccess or virtual host config:
<Location /admin>
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Location>
Disable Template Update Function
allRemove or rename the vulnerable TplAction.class.php file
# Linux/macOS
mv Lib/Lib/Action/Admin/TplAction.class.php Lib/Lib/Action/Admin/TplAction.class.php.disabled
# Windows
ren Lib\Lib\Action\Admin\TplAction.class.php TplAction.class.php.disabled
🧯 If You Can't Patch
- Implement strict input validation for template content to prevent PHP code injection
- Deploy web application firewall (WAF) with rules to detect and block template-based code injection attempts
🔍 How to Verify
Check if Vulnerable:
Check if file exists: Lib/Lib/Action/Admin/TplAction.class.php and verify version is v1.0.0713Check Version:
# Check Gxlcms version in configuration files
# Look for version information in config files or admin panelVerify Fix Applied:
Verify the vulnerable file has been removed/renamed or that template inputs are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual template file modifications
- Admin panel access from unexpected IPs
- POST requests to template update endpoints with PHP code
Network Indicators:
- HTTP requests containing PHP code in template parameters
- Unusual outbound connections from web server
SIEM Query:
web.url.path:"/admin/tpl/update" AND web.post_data:"<?php"