CVE-2018-10740

Vulnerability

Axublog 1.1.0 contains a remote code execution vulnerability in the ad/setconfig.php file. The $webkeywords parameter is directly written into the ../cmsconfig.php file without any sanitization or escaping [1]. This allows an attacker to inject arbitrary PHP code into the configuration file, which is then included and executed when cmsconfig.php is loaded. The affected version is Axublog 1.1.0 [1].

Exploitation

An attacker must have access to the backend ad/setconfig.php page (typically requires authentication as an administrator). The attacker submits a crafted webkeywords parameter that closes the existing PHP string assignment and injects new PHP code, for example: 123456 "; @eval($_POST['a']); $a=" [1]. This payload is written directly into cmsconfig.php, and upon subsequent requests to that file, the injected code is executed.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full compromise of the web application and potentially the underlying system. The attacker can gain the privilege level of the web server user, enabling actions such as reading sensitive files, modifying application data, or executing system commands.

Mitigation

As of the available references, no official patch has been released for Axublog 1.1.0 [1]. Users are advised to restrict access to the ad/ directory, ensure the cmsconfig.php file is not writable by the web server, and apply input validation on the webkeywords parameter. The vendor has not provided a fixed version, and the application may be considered end-of-life.