Login Sign Up

CVE-2019-9002

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary PHP code on Tiny Issue and pixeline Bugs installations. Attackers can exploit the install/config-setup.php file if it remains accessible after installation, affecting all users who haven't removed the installer files.

💻 Affected Systems

Products:
  • Tiny Issue
  • pixeline Bugs
Versions: Tiny Issue 1.3.1, pixeline Bugs through 1.3.2c
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable if install/config-setup.php file remains present after installation.

📦 What is this software?

Bugs by Pixeline

View all CVEs affecting Bugs →

Tiny Issue by Tiny Issue Project

View all CVEs affecting Tiny Issue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, malware deployment, or system takeover.

🟠

Likely Case

Webshell installation leading to persistent access, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

No impact if installer files are properly removed after installation.

🌐 Internet-Facing: HIGH - Directly accessible via web interface, no authentication required.
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST request with PHP code in database_host parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Remove installer files after installation

Vendor Advisory: https://github.com/mikelbring/tinyissue/issues/237

Restart Required: No

Instructions:

1. Delete the entire 'install' directory after installation completes. 2. Verify no install files remain in web-accessible directories.

🔧 Temporary Workarounds

Remove Installer Files

linux

Delete the vulnerable install/config-setup.php file and entire install directory

rm -rf /path/to/webroot/install/

Block Access via Web Server

all

Configure web server to deny access to install directory

# Apache: <Directory /path/to/webroot/install> Order deny,allow Deny from all </Directory>
# Nginx: location ~ /install/ { deny all; }

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems
  • Deploy WAF rules to block requests containing PHP code patterns

🔍 How to Verify

Check if Vulnerable:

Check if /install/config-setup.php exists in webroot: ls -la /path/to/webroot/install/config-setup.php

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Confirm install directory is removed or inaccessible: curl -I http://yoursite/install/config-setup.php should return 404

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /install/config-setup.php
  • Log entries containing 'database_host' parameter with PHP code patterns

Network Indicators:

  • POST requests to install/config-setup.php with suspicious payloads
  • Outbound connections from web server to unknown IPs

SIEM Query:

web.url = "*install/config-setup.php" AND http.method = "POST"

📊 Metadata

CVE ID: CVE-2019-9002
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: February 22, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9002, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)