CVE-2018-19180
Description
statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX field, which is written to database.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
YUNUCMS 1.1.5 allows remote code execution when an attacker deletes install.lock and then injects PHP into the DB_PREFIX field during reinstallation.
Vulnerability
The vulnerability resides in the installation script statics/app/index/controller/Install.php in YUNUCMS version 1.1.5. If the file /data/install.lock is absent (e.g., because it was never created or was removed), the installation process can be re-run. During step setup2, the value of the DB_PREFIX POST parameter is directly written into the application's database configuration file (database.php) without sanitization. This allows an attacker to inject arbitrary PHP code into the configuration file, which will later be executed by the application [1].
Exploitation
An attacker does not need authentication. The attack consists of two steps [1]:
- Delete the install.lock file: Send a POST request to
/statics/ueditor/php/controller.php?action=removewithkey=uploads/../data/install.lock. TheLocal.class.phpremove function only enforces that the path starts with "uploads" but does not prevent directory traversal (../) outside that constraint, allowing deletion of arbitrary files.
- Reinstall the application: Access
index.php?s=index/install/setup2and send a POST request with a craftedDB_PREFIXparameter containing PHP code (e.g.,'; phpinfo(); //). The script writes this value directly into the configuration filedatabase.php, which is then loaded and interpreted by PHP.
Impact
Successful exploitation allows a remote unauthenticated attacker to execute arbitrary PHP code on the server. This results in full compromise of the web application and potentially the underlying server, depending on the permissions of the PHP process. The attacker gains the ability to read, write, and delete files, execute system commands, and pivot to other internal resources [1].
Mitigation
As of the publication date (2018-11-11), no patched version was available. The vendor did not release a fix for YUNUCMS 1.1.5. The only effective mitigation is to ensure the /data/install.lock file exists and is non-deletable by the web server, though this does not protect against the arbitrary file deletion that can remove it. Organizations using YUNUCMS should consider replacing it with an actively maintained alternative or apply strict web application firewall (WAF) rules to block the known exploit patterns. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/doublefast/yunucms/issues/1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.