Login Sign Up

CVE-2020-18439

9.1 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in phpok 5.1 allows attackers to write arbitrary files to the server through the edit_save_f function in the admin panel. Successful exploitation could lead to remote code execution and complete system compromise. All installations of phpok 5.1 with the vulnerable framework/admin/tpl_control.php file are affected.

💻 Affected Systems

Products:
  • phpok CMS
Versions: Version 5.1
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the admin panel's tpl_control.php functionality. The vulnerability is in the framework code, so all installations of version 5.1 are affected.

📦 What is this software?

Phpok by Phpok

View all CVEs affecting Phpok →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining shell access, installing backdoors, stealing data, and using the server for further attacks.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, or malware deployment.

🟢

If Mitigated

Limited impact if proper file permissions and input validation are in place, though risk remains significant.

🌐 Internet-Facing: HIGH - Admin panels are often internet-accessible and this vulnerability allows file writes that can lead to RCE.
🏢 Internal Only: MEDIUM - Lower risk if admin panel is only internally accessible, but still dangerous if internal attackers exist.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin panel access. The GitHub issue shows proof of concept details. File write vulnerabilities in PHP applications are commonly weaponized for RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5.2 or later

Vendor Advisory: https://github.com/qinggan/phpok/issues/4

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version of phpok from the official repository. 3. Replace the vulnerable framework/admin/tpl_control.php file. 4. Verify all customizations are preserved. 5. Test the admin functionality.

🔧 Temporary Workarounds

Restrict Admin Panel Access

all

Limit access to the admin panel to trusted IP addresses only

# Add to .htaccess or web server config
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8

Remove Vulnerable File

linux

Temporarily remove or rename the vulnerable file if not in use

mv framework/admin/tpl_control.php framework/admin/tpl_control.php.disabled

🧯 If You Can't Patch

  • Implement strict file permissions (chmod 644 for PHP files, 755 for directories)
  • Deploy a web application firewall (WAF) with rules to block file write attempts

🔍 How to Verify

Check if Vulnerable:

Check if framework/admin/tpl_control.php exists and contains the edit_save_f function without proper input validation for file writes.

Check Version:

grep -r "phpok version" ./*.php || check config files for version information

Verify Fix Applied:

Verify the tpl_control.php file has been updated to version 5.2 or later, and test that file write functionality properly validates input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in PHP error logs
  • Multiple POST requests to tpl_control.php with file parameters
  • Webshell creation in unexpected directories

Network Indicators:

  • HTTP POST requests to /framework/admin/tpl_control.php with file content
  • Subsequent connections to newly created PHP files

SIEM Query:

source="web_logs" AND uri="/framework/admin/tpl_control.php" AND method="POST" AND (file* OR content* OR write*)

📊 Metadata

CVE ID: CVE-2020-18439
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: November 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON