CVE-2019-17175
📋 TL;DR
This vulnerability allows attackers to perform absolute path traversal via the manager/admin_pic.php endpoint in joyplus-cms 1.6.0. By manipulating the 'rootpath' parameter, attackers can access arbitrary files on the server. This affects all installations of joyplus-cms 1.6.0 that have the vulnerable endpoint accessible.
💻 Affected Systems
- joyplus-cms
📦 What is this software?
Joyplus Cms by Joyplus Cms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, /etc/shadow, or application configuration files containing database credentials, potentially leading to full system takeover.
Likely Case
Information disclosure of sensitive files, potentially exposing credentials, configuration data, or source code that could enable further attacks.
If Mitigated
Limited impact if proper file permissions restrict access to sensitive files and the vulnerable endpoint is not internet-facing.
🎯 Exploit Status
Exploitation requires only a web browser or curl command to send crafted HTTP requests. The vulnerability is well-documented in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Consider upgrading to a different CMS or implementing workarounds.
🔧 Temporary Workarounds
Restrict access to vulnerable endpoint
allBlock or restrict access to the manager/admin_pic.php file using web server configuration or firewall rules.
# Apache: Add to .htaccess
<Files "admin_pic.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /manager/admin_pic\.php$ {
deny all;
return 403;
}
Input validation in PHP
allAdd input validation to sanitize the rootpath parameter before processing.
# In admin_pic.php, add validation:
$rootpath = $_GET['rootpath'];
if (strpos($rootpath, '..') !== false || strpos($rootpath, '/') === 0) {
die('Invalid path');
}
🧯 If You Can't Patch
- Implement strict file permissions to limit what files the web server user can read.
- Deploy a web application firewall (WAF) with path traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Access http://[target]/manager/admin_pic.php?rootpath=/etc/passwd and check if server returns the contents of /etc/passwd.Check Version:
Check the CMS version in configuration files or admin panel. Look for version 1.6.0 in source code or documentation.Verify Fix Applied:
Attempt the same request after implementing fixes - should receive error or no file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /manager/admin_pic.php with rootpath parameter containing absolute paths or directory traversal sequences
- Unusual file access patterns from web server process
Network Indicators:
- HTTP GET requests with rootpath parameter containing /etc/, /proc/, or other system paths
- Abnormal response sizes from the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri_path="/manager/admin_pic.php" AND query_string="*rootpath=*"