CVE-2019-9651
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary PHP code on SDCMS V1.7 installations through insufficient filtering in the themecontroller.php file. Attackers can bypass blocked dangerous functions by using case variations and alternative PHP functions, leading to complete system compromise. All SDCMS V1.7 installations with default configurations are affected.
💻 Affected Systems
- SDCMS
📦 What is this software?
Sdcms by Sdcms
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full administrative access, data exfiltration, and ability to pivot to other systems in the network.
Likely Case
Webshell deployment leading to data theft, defacement, and cryptocurrency mining malware installation.
If Mitigated
Attack blocked at WAF level or by proper input validation, with no impact to system integrity.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to the vulnerable endpoint. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SDCMS V1.8 or later
Vendor Advisory: http://www.iwantacve.cn/index.php/archives/155/
Restart Required: No
Instructions:
1. Backup current installation. 2. Download latest SDCMS version from official source. 3. Replace affected themecontroller.php file. 4. Verify file permissions are correct. 5. Test functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allAdd strict case-insensitive filtering for dangerous PHP functions and file extensions
Modify \app\admin\controller\themecontroller.php to include comprehensive filtering for all dangerous functions (eval, system, exec, passthru, shell_exec, etc.) and block .php in all case variations
WAF Rule Implementation
allBlock requests containing dangerous PHP functions and .php extensions in any case
Add WAF rules to detect and block: eval(, system(, exec(, passthru(, shell_exec(, .php, .PHP, .Php, .pHp
🧯 If You Can't Patch
- Implement strict web application firewall (WAF) rules to block requests containing dangerous PHP functions and .php extensions in any case variation
- Restrict access to the admin controller directory using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check if themecontroller.php file exists at \app\admin\controller\themecontroller.php and contains the vulnerable check_bad() function with insufficient filteringCheck Version:
Check SDCMS version in configuration files or admin panelVerify Fix Applied:
Verify the check_bad() function now properly filters all dangerous PHP functions (including system, exec, passthru) and blocks .php in all case variations📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to themecontroller.php endpoints
- Log entries containing dangerous PHP function names
- Multiple failed attempts with different case variations of .php
Network Indicators:
- HTTP requests containing system(, exec(, or passthru( functions
- Requests with .PHP, .Php, or other case variations
SIEM Query:
source="web_logs" AND (uri="*themecontroller*" AND (request_body="*system(*" OR request_body="*exec(*" OR request_body="*passthru(*" OR uri="*.PHP"))