CVE-2020-18438
📋 TL;DR
This directory traversal vulnerability in phpok 5.1 allows attackers to access sensitive files outside the intended directory via the title parameter in admin.php. It affects all installations of phpok 5.1, potentially exposing configuration files, credentials, and other sensitive data.
💻 Affected Systems
- qinggan phpok
📦 What is this software?
Phpok by Phpok
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through disclosure of database credentials, configuration files, and sensitive application data leading to further attacks.
Likely Case
Disclosure of sensitive configuration files containing database credentials, API keys, and application secrets.
If Mitigated
Limited impact with proper file permissions and web server configurations preventing access to critical system files.
🎯 Exploit Status
Exploitation requires access to admin.php, which typically requires authentication. However, if authentication is bypassed or weak credentials exist, exploitation becomes easier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.1
Vendor Advisory: https://github.com/qinggan/phpok/issues/4
Restart Required: No
Instructions:
1. Upgrade phpok to version 5.2 or later. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the title parameter.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to filter directory traversal sequences in the title parameter
Modify admin.php to include: if (strpos($_GET['title'], '..') !== false) { die('Invalid input'); }
Access Restriction
linuxRestrict access to admin.php to trusted IP addresses only
Add to .htaccess: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict input validation to block directory traversal sequences in all user inputs
- Restrict file permissions on sensitive configuration files and move them outside web root
🔍 How to Verify
Check if Vulnerable:
Test by accessing admin.php with a title parameter containing directory traversal sequences like '../../etc/passwd'Check Version:
Check phpok version in configuration files or via phpinfo() if enabledVerify Fix Applied:
Attempt the same directory traversal attack after patching - it should return an error or filtered response📡 Detection & Monitoring
Log Indicators:
- HTTP requests to admin.php with '..' or '../' in parameters
- Unusual file access patterns in web server logs
Network Indicators:
- Multiple requests to admin.php with varying file paths in parameters
- Requests attempting to access known sensitive files
SIEM Query:
source="web_logs" AND uri="*admin.php*" AND (param="*..*" OR param="*../*")