CVE-2019-11618
📋 TL;DR
CVE-2019-11618 is a default administrator credential vulnerability in doorGets 7.0 that allows remote attackers to gain administrator privileges. Attackers can create and modify articles via API endpoints using a hardcoded access token. All doorGets 7.0 installations with default configurations are affected.
💻 Affected Systems
- doorGets CMS
📦 What is this software?
Doorgets Cms by Doorgets
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the doorGets CMS, allowing attackers to create/modify content, upload malicious files, potentially leading to website defacement, data theft, or server compromise.
Likely Case
Unauthorized content modification, creation of malicious articles/pages, and potential privilege escalation to full administrative control.
If Mitigated
Limited impact if default credentials were changed during installation or if API endpoints are properly restricted.
🎯 Exploit Status
Exploitation requires knowledge of the hardcoded access token and API endpoint structure. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: doorGets 7.0.1 or later
Vendor Advisory: https://github.com/itodaro/doorGets_cve
Restart Required: No
Instructions:
1. Upgrade to doorGets 7.0.1 or later. 2. Change default administrator credentials. 3. Review and secure API endpoints.
🔧 Temporary Workarounds
Change Default Credentials
allChange the default administrator password and access tokens immediately.
Login to doorGets admin panel and change administrator password in user settings
Restrict API Access
linuxBlock or restrict access to /api/index.php endpoint via web server configuration or firewall.
# Apache: Add to .htaccess
<Files "api/index.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location /api/index.php {
deny all;
}
🧯 If You Can't Patch
- Change all default credentials including administrator password and any hardcoded tokens
- Implement network-level restrictions to block external access to the doorGets API endpoints
🔍 How to Verify
Check if Vulnerable:
Check if doorGets version is 7.0 and test API endpoint /api/index.php with the known access token parameter.Check Version:
Check doorGets version in admin panel or look for version information in source files.Verify Fix Applied:
Verify doorGets version is 7.0.1 or later and test that API endpoints no longer accept default credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to /api/index.php with access_token parameter
- Multiple failed login attempts followed by successful admin actions
- Unauthorized article creation/modification events
Network Indicators:
- HTTP POST requests to /api/index.php with uri=blog&action=index&controller=blog parameters
- Traffic containing the hardcoded access token H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9
SIEM Query:
source="web_server" AND (url="/api/index.php" AND (parameters CONTAINS "access_token" OR parameters CONTAINS "H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9"))