CVE-2018-19784

Vulnerability

The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php of PHP-Proxy 5.1.0 uses weak encryption, making the authorization data easily decrypted [1]. Even if the user changes the default key, the encryption is flawed [3][4]. The vulnerability is present in all versions up to 5.1.0 [3].

Exploitation

An attacker can exploit this by sending a crafted request to decrypt the authorization key. The exploit requires that the url_mode is set to 2 (default) and that the curl file protocol is not disabled [3]. Using the decrypted key, the attacker can perform a local file inclusion attack. A sample payload is available [3].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, such as /etc/passwd, leading to information disclosure [3]. The attacker does not require authentication.

Mitigation

As of the publication date (2018-12-01), no patched version has been released [1][3]. Users should disable the curl file protocol or change the url_mode setting to mitigate the risk until a fix is available.