Login Sign Up

CVE-2019-16656

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2019-16656 is a remote code execution vulnerability in joyplus-cms 1.6.0 that allows attackers to execute arbitrary PHP code by injecting malicious payloads into database object names during installation. This affects all systems running the vulnerable version of joyplus-cms with the /install endpoint accessible.

💻 Affected Systems

Products:
  • joyplus-cms
Versions: 1.6.0
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the installation process and affects systems where the /install endpoint remains accessible after initial setup.

📦 What is this software?

Joyplus by Joyplus Project

View all CVEs affecting Joyplus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data exfiltration, defacement, or use as part of a botnet.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the /install endpoint.

🌐 Internet-Facing: HIGH - The vulnerability requires access to the /install endpoint which is typically exposed on internet-facing web servers.
🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit this, but requires knowledge of the system and access to the vulnerable endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward as it involves sending crafted requests to the /install endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/joyplus/joyplus-cms/issues/442

Restart Required: No

Instructions:

No official patch available. Remove or restrict access to the /install directory after installation. Consider migrating to a maintained CMS.

🔧 Temporary Workarounds

Remove Install Directory

linux

Delete or rename the /install directory after initial CMS setup to prevent exploitation.

rm -rf /path/to/joyplus-cms/install/
mv /path/to/joyplus-cms/install/ /path/to/joyplus-cms/install_disabled/

Restrict Access via Web Server

all

Configure web server to deny all access to the /install directory.

# Apache: Add to .htaccess in install directory: Deny from all
# Nginx: location /install { deny all; }

🧯 If You Can't Patch

  • Implement strict network access controls to block external access to the /install endpoint.
  • Deploy a web application firewall (WAF) with rules to detect and block exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if the /install directory exists and is accessible via HTTP requests. Test by accessing http://target/install/ and observing if installation pages load.

Check Version:

Check CMS version in configuration files or database. Common location: /config/config.php or similar.

Verify Fix Applied:

Verify the /install directory is either removed, renamed, or returns 403/404 errors when accessed.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /install/ with POST parameters containing suspicious PHP code patterns
  • Unusual file creation in web directories following /install access

Network Indicators:

  • HTTP traffic to /install/ endpoint from unexpected sources
  • POST requests to /install/ with base64 or encoded payloads

SIEM Query:

source="web_server" AND (url="/install/" OR url CONTAINS "/install/") AND (method="POST" OR parameters CONTAINS "php" OR parameters CONTAINS "eval")

📊 Metadata

CVE ID: CVE-2019-16656
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 21, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON