CVE-2019-14746 – CVE-2019-14746 is a critical code injection vul... (How to Fix)

📋 TL;DR

CVE-2019-14746 is a critical code injection vulnerability in KuaiFanCMS 5.0 that allows remote attackers to execute arbitrary PHP code via the db_name parameter in install.php. This affects all KuaiFanCMS 5.0 installations that haven't been properly secured or patched, potentially giving attackers complete control over affected systems.

💻 Affected Systems

Products:

KuaiFanCMS

Versions: 5.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation. Requires install.php to be accessible, which should be removed after installation.

📦 What is this software?

Kuaifancms by Kuaifan

View all CVEs affecting Kuaifancms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟠

Likely Case

Webshell installation allowing unauthorized access, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper input validation and security controls prevent code execution.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication via web interface.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with PHP code in db_name parameter followed by config.php request. Public exploit details available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - No official patch from vendor

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Remove install.php file after installation
2. Manually sanitize input validation in affected files
3. Consider migrating to alternative CMS if no official patch available

🔧 Temporary Workarounds

Remove install.php

all

Delete or restrict access to install.php file after installation

rm /path/to/kuaifancms/install.php

Input validation hardening

all

Add input sanitization to db_name parameter handling

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block eval() and PHP code in parameters
Network segmentation to isolate KuaiFanCMS from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if install.php exists and is accessible via web browser. Test with harmless payload like '<?php echo "test"; ?>' in db_name parameter.

Check Version:

Check CMS version in configuration files or admin panel

Verify Fix Applied:

Confirm install.php is removed or inaccessible. Test exploitation attempts fail.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to install.php with PHP code in parameters
Unexpected eval() or system() calls in web server logs

Network Indicators:

POST/GET requests containing PHP code patterns to install.php

SIEM Query:

web.url:*install.php* AND (web.param:*<?php* OR web.param:*eval(* OR web.param:*system(*)

📊 Metadata

CVE ID: CVE-2019-14746

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: August 7, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/poropro/kuaifan/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://github.com/poropro/kuaifan/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14746, you might also want to check these: