CVE-2018-18485

Vulnerability

In PHPSHE version 1.7, the admin.php?mod=db&act=del endpoint does not properly sanitize the dbname parameter, allowing directory traversal sequences such as ../. This enables an attacker to delete arbitrary files on the server. The vulnerability is reachable via a crafted HTTP request to the admin interface.

Exploitation

An attacker must have access to the admin panel (typically requiring authentication). By sending a request to admin.php?mod=db&act=del with a dbname parameter containing path traversal sequences (e.g., ../../../install.lock), the attacker can delete the target file. No special privileges beyond admin access are needed.

Impact

Successful exploitation allows the attacker to delete arbitrary files. Deleting install.lock forces the application to re-run its installation process, potentially allowing the attacker to gain full control over the application (e.g., by reconfiguring the database or uploading a malicious payload). This can lead to complete compromise of the PHPSHE installation.

Mitigation

As of the available references, no official patch has been released for PHPSHE 1.7 [1]. Users should restrict access to the admin panel to trusted IPs, implement strong authentication, and consider upgrading to a newer version if available. Additionally, file deletion operations should validate and sanitize user-supplied paths.