CVE-2020-18890 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on puppyCMS v5.1 systems due to insecure file permissions in the admin functions.php file. Attackers can gain shell access without authentication, potentially compromising the entire server. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

puppyCMS

Versions: v5.1

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of puppyCMS v5.1 regardless of configuration.

📦 What is this software?

Puppycms by Puppycms

View all CVEs affecting Puppycms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise with attacker gaining root/system privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Webshell installation leading to data theft, defacement, and use as pivot point for lateral movement within the network.

🟢

If Mitigated

Attack blocked at perimeter with no internal systems exposed, limiting impact to failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code targeting the vulnerable functions.php file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check if you're running puppyCMS v5.1
2. Consider migrating to alternative CMS solutions
3. If continuing with puppyCMS, implement strict access controls and monitoring

🔧 Temporary Workarounds

Restrict access to admin directory

all

Block external access to the vulnerable /admin/functions.php file

# Apache: Add to .htaccess
<Files "functions.php">
    Order Allow,Deny
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /admin/functions\.php$ {
    deny all;
    return 403;
}

Set proper file permissions

linux

Remove write permissions from functions.php to prevent modification

chmod 644 /path/to/puppyCMS/admin/functions.php
chown root:root /path/to/puppyCMS/admin/functions.php

🧯 If You Can't Patch

Implement strict network segmentation to isolate puppyCMS from critical systems
Deploy web application firewall (WAF) with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if /admin/functions.php exists and is accessible without authentication. Test with curl: curl -I http://target/admin/functions.php

Check Version:

Check puppyCMS version in admin panel or look for version markers in source files

Verify Fix Applied:

Verify functions.php returns 403 Forbidden when accessed externally and has proper permissions (644 on Linux)

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/functions.php
File modification timestamps on functions.php
Suspicious process execution from web server user

Network Indicators:

HTTP requests containing shell commands or encoded payloads to admin endpoints
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri="/admin/functions.php" OR uri CONTAINS "functions.php") AND (status=200 OR method="POST")

📊 Metadata

CVE ID: CVE-2020-18890

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-281

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/choregus/puppyCMS/issues/14 Exploit,Issue Tracking,Third Party Advisory
https://github.com/choregus/puppyCMS/issues/14 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18890, you might also want to check these: