CVE-2019-16885 – CVE-2019-16885 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2019-16885?

CVE-2019-16885 has a CVSS score of 9.8 (CRITICAL). CVE-2019-16885 is an unauthenticated remote code execution vulnerability in OkayCMS that allows attackers to execute arbitrary PHP code by injecting malicious objects via crafted cookies. This affects all OkayCMS installations through version 2.3.4. Attackers can exploit this without any authentication to gain full control of affected systems.

📋 TL;DR

CVE-2019-16885 is an unauthenticated remote code execution vulnerability in OkayCMS that allows attackers to execute arbitrary PHP code by injecting malicious objects via crafted cookies. This affects all OkayCMS installations through version 2.3.4. Attackers can exploit this without any authentication to gain full control of affected systems.

💻 Affected Systems

Products:

OkayCMS

Versions: through 2.3.4

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Okaycms by Okay Cms

View all CVEs affecting Okaycms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for initial foothold in the affected system.

🌐 Internet-Facing: HIGH - Exploitable without authentication via HTTP requests, making internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through compromised internal systems, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and detailed write-ups available. Exploitation requires sending crafted cookies to specific endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.5 or later

Vendor Advisory: https://okay-cms.com/

Restart Required: No

Instructions:

1. Backup your OkayCMS installation and database. 2. Download the latest version from the official OkayCMS website. 3. Replace all files with the patched version. 4. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Cookie Input Validation

all

Add input validation for price_filter and comparison cookies to reject PHP object serialization

Modify view/ProductsView.php and api/Comparison.php to validate cookie inputs

Web Application Firewall Rules

all

Block requests containing PHP object serialization patterns in cookies

Add WAF rules to detect and block base64 encoded serialized objects in cookies

🧯 If You Can't Patch

Implement strict network segmentation to isolate OkayCMS from critical systems
Deploy a web application firewall with rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if your OkayCMS version is 2.3.4 or earlier. Review access logs for requests to /view/ProductsView.php or /api/Comparison.php with suspicious cookies.

Check Version:

Check the version in the admin panel or examine the CMS configuration files

Verify Fix Applied:

Verify the version is 2.3.5 or later. Test that cookie injection no longer results in code execution.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /view/ProductsView.php or /api/Comparison.php with base64 encoded data in price_filter or comparison cookies
Unusual PHP process execution from web server context

Network Indicators:

HTTP POST/GET requests with serialized PHP objects in cookies
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND (uri="/view/ProductsView.php" OR uri="/api/Comparison.php") AND cookie CONTAINS "O:"

📊 Metadata

CVE ID: CVE-2019-16885

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 3, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/155583/OkayCMS-2.3.4-Remote-Code-Execution.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/15 Exploit,Third Party Advisory
https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms Exploit,Third Party Advisory
http://packetstormsecurity.com/files/155583/OkayCMS-2.3.4-Remote-Code-Execution.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/15 Exploit,Third Party Advisory
https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16885, you might also want to check these: