CVE-2024-44867
📋 TL;DR
CVE-2024-44867 is an arbitrary file read vulnerability in phpok v3.0 that allows attackers to read sensitive files on the server through the /autoload/file.php component. This affects all deployments of phpok v3.0, potentially exposing configuration files, credentials, and other sensitive data.
💻 Affected Systems
- phpok
📦 What is this software?
Phpok by Phpok
⚠️ Risk & Real-World Impact
Worst Case
Attackers can read sensitive system files like /etc/passwd, configuration files containing database credentials, and application source code, leading to complete system compromise.
Likely Case
Attackers will read configuration files to obtain database credentials and other sensitive information, potentially leading to data breaches and further system exploitation.
If Mitigated
With proper file permissions and web server restrictions, impact is limited to readable files within the web application context.
🎯 Exploit Status
Exploitation requires only a simple HTTP request with path traversal parameters. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.0.1 or later
Vendor Advisory: https://github.com/ChengZyin/CVE-2024-44867/blob/main/CVE-2024-44867.md
Restart Required: No
Instructions:
1. Download the latest version from the official phpok repository. 2. Replace the vulnerable /autoload/file.php file. 3. Verify the fix by testing the exploit path.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allAdd web server rules to block or restrict access to /autoload/file.php
# Apache: RewriteRule ^autoload/file\.php - [F,L]
# Nginx: location ~ /autoload/file\.php { deny all; }
Implement input validation
allAdd path traversal validation in the file.php component
# In file.php, add: if (strpos($file_path, '..') !== false) { die('Invalid request'); }
🧯 If You Can't Patch
- Implement strict file permissions to limit readable files to only those necessary for the application
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Test by accessing http://[target]/autoload/file.php?file=../../../../etc/passwd and checking if system files are returned.Check Version:
Check the phpok version in the application's configuration or admin panelVerify Fix Applied:
Attempt the same exploit path after patching - should return error or empty response instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /autoload/file.php with '..' in parameters
- Unusual file access patterns from web application
Network Indicators:
- HTTP GET requests with path traversal sequences in query parameters
- Traffic to /autoload/file.php endpoint
SIEM Query:
source="web_logs" AND uri="/autoload/file.php" AND (query="*..*" OR query="*../*")