CVE-2018-19246

Vulnerability

PHP-Proxy 5.1.0, specifically the default "pre-installed version" intended for users without shell access, contains a hardcoded app_key value (aeb067ca0aa9a3193dce3a7264c90187) in config.php [1][3]. This key is used to derive an encryption key via MD5 of app_key concatenated with the visitor's IP address, enabling the application to encrypt URLs. Attackers can exploit this default key to craft encrypted payloads that trigger local file inclusion [4].

Exploitation

An attacker needs only the ability to make HTTP requests to the PHP-Proxy instance. Knowing the default app_key and their own IP address as seen by the server (which can be determined from a prior request), they can generate an encrypted URL using the str_rot_pass and base64_url_encode functions [3][4]. The attacker then sends a request to index.php?q=<encrypted_string>, where the encrypted string contains a file:// URI targeting a local file [3][4]. No authentication or special privileges are required [1].

Impact

Successful exploitation allows an attacker to read arbitrary local files on the web server, including sensitive data such as passwords or configuration files [1][4]. This results in a complete compromise of confidentiality, potentially leading to further attacks if credentials are exposed [3].

Mitigation

Users should change the default app_key in config.php to a unique, strong value and ensure the encryption key is not derived solely from the IP address [2][3]. Upgrade to a patched version if available; the issue was addressed in a pull request on GitHub [2], but no official patched release date is specified [1]. As a workaround, avoid using the default pre-installed version and manually secure the configuration [3].