CVE-2018-19458
Description
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP Proxy 3.0.3 allows unauthenticated attackers to read arbitrary files via a Local File Inclusion (LFI) flaw in the index.php script.
Vulnerability
PHP Proxy version 3.0.3 contains a Local File Inclusion (LFI) vulnerability in the index.php script. An attacker can control the q parameter to specify a file:/// URI, which the application processes without proper validation or sanitization. This allows reading arbitrary files from the server filesystem. The vulnerable version is 3.0.3; earlier versions may also be affected as per vendor history [1][2][3].
Exploitation
No authentication is required. An attacker simply sends an HTTP GET request to http://target/index.php?q=file:///[FilePath], where [FilePath] is the absolute path to any readable file on the server (e.g., /etc/passwd). Public proof-of-concept code is available [2][3]. The attacker only needs network access to the target web server.
Impact
An unauthenticated attacker can read any file that the web server process has read access to. This may include configuration files, application source code, database credentials, or sensitive system files. The vulnerability results in unauthorized information disclosure, potentially leading to further compromise.
Mitigation
As of the available references, no official patch has been released for this version. The vendor may have addressed the issue in a later release (the software has been archived or is no longer maintained). The only workaround is to disable the application or apply a web application firewall (WAF) rule to block file:// URIs in the q parameter until a fix is applied [1][2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
athlon1600/php-proxy-appPackagist | <= 3.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not validate or restrict the URI scheme passed via the `q` parameter, allowing the `file://` scheme to read arbitrary local files."
Attack vector
An unauthenticated attacker sends an HTTP GET request to `http://target/index.php?q=file:///[FilePath]` [ref_id=1][ref_id=2]. The `q` parameter is passed directly to PHP's proxy functionality without any authentication check or scheme whitelist [CWE-287]. The attacker can specify any file path on the server (e.g., `/etc/passwd`) and the response body will contain the file contents. No session, credentials, or special privileges are required.
Affected code
The vulnerable endpoint is `index.php` which accepts a `q` parameter. The advisory states the attack path is `http://target/index.php?q=file:///[FilePath]` [ref_id=1][ref_id=2]. No patch or source code diff is provided in the bundle, so the exact function handling the `q` parameter is not identified.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1][ref_id=2] does not describe a fix. To remediate, the application should validate the URI scheme in the `q` parameter, blocking or sanitizing the `file://` scheme, and should require authentication before serving any file access functionality [CWE-287].
Preconditions
- networkAttacker must be able to reach the PHP Proxy web server over HTTP.
- inputNo authentication or session is required; any unauthenticated user can send the request.
Reproduction
1. Identify a target running PHP Proxy 3.0.3. 2. Send a GET request to `http://target/index.php?q=file:///etc/passwd`. 3. The server returns the contents of `/etc/passwd` in the HTTP response. The PoC script [ref_id=1][ref_id=2][ref_id=3] demonstrates this by prompting for a target IP and a file path, then printing the response.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.exploit-db.com/exploits/45780/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-3x3m-p2wx-g7cwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19458ghsaADVISORY
- pentest.com.tr/exploits/PHP-Proxy-3-0-3-Local-File-Inclusion.htmlghsax_refsource_MISCWEB
- www.exploit-db.com/exploits/45780ghsaWEB
News mentions
0No linked articles in our index yet.