CVE-2019-9015 – This path traversal vulnerability in MOPCMS all... (How to Fix)

Q: What is the severity of CVE-2019-9015?

CVE-2019-9015 has a CVSS score of 9.1 (CRITICAL). This path traversal vulnerability in MOPCMS allows attackers to delete critical system files by manipulating column management functions. Attackers can delete entire website directories including the web root, leading to complete site destruction. All MOPCMS installations through November 2018 are affected.

📋 TL;DR

This path traversal vulnerability in MOPCMS allows attackers to delete critical system files by manipulating column management functions. Attackers can delete entire website directories including the web root, leading to complete site destruction. All MOPCMS installations through November 2018 are affected.

💻 Affected Systems

Products:

MOPCMS

Versions: All versions through 2018-11-30

Operating Systems: All operating systems running MOPCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to column management functionality, but default admin credentials may be used.

📦 What is this software?

Mopcms by Mopcms

View all CVEs affecting Mopcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of web server files including operating system files if web server runs with high privileges, resulting in total system compromise and data loss.

🟠

Likely Case

Deletion of website files and directories, causing service disruption, data loss, and potential defacement.

🟢

If Mitigated

Limited to deletion of web-accessible files only if proper file permissions and web server sandboxing are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to admin panel. Attack path is simple: create column with malicious path, then delete it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2018-11-30

Vendor Advisory: https://github.com/yangsuda/mopcms/issues/1

Restart Required: No

Instructions:

1. Update MOPCMS to latest version. 2. If using version control, pull latest changes. 3. Clear any caches. 4. Verify column management functions validate path inputs.

🔧 Temporary Workarounds

Input Validation for Column Paths

all

Add server-side validation to reject path traversal sequences in column paths

Modify column management code to sanitize path inputs before processing

File Permission Restrictions

linux

Run web server with minimal privileges and restrict write/delete permissions

chmod -R 755 /var/www/html
chown -R www-data:www-data /var/www/html

🧯 If You Can't Patch

Disable column management functionality entirely
Implement web application firewall rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check MOPCMS version date. If version is from November 2018 or earlier, it's vulnerable.

Check Version:

Check MOPCMS configuration files or admin panel for version information

Verify Fix Applied:

Test column management with path traversal payloads like '../../'. If rejected, fix is applied.

📡 Detection & Monitoring

Log Indicators:

Unusual column creation/deletion events
File deletion operations in web root
Path traversal patterns in POST requests

Network Indicators:

HTTP POST requests to column management endpoints with '../' sequences

SIEM Query:

source="web_logs" AND (uri_path="*/admin/column*" AND (request_body LIKE "%../%" OR request_body LIKE "%./%"))

📊 Metadata

CVE ID: CVE-2019-9015

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: February 22, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/yangsuda/mopcms/issues/1 Exploit,Third Party Advisory
https://github.com/yangsuda/mopcms/issues/1 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9015, you might also want to check these: