#VU16067 Command injection in PHP


Published: 2020-03-18 | Updated: 2021-06-17

Vulnerability identifier: #VU16067

Vulnerability risk: Low

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2018-19518

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to inject and execute arbitrary commands.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 5.6.0 - 5.6.38, 7.1.0 - 7.1.24, 7.2.0 - 7.2.12

External links
http://bugs.php.net/bug.php?id=77153
http://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.


Latest bulletins with this vulnerability


Gentoo update for PHP
Ubuntu update for UW IMAP
Amazon Linux AMI update for php56, php70, php71, php72
Debian update for php7.0
openSUSE update for php7
OpenSUSE Linux update for php5
Multiple vulnerabilities in PHP
Command injection in php7 (Alpine package)