CVE-2018-6881

Vulnerability

EmpireCMS versions 6.6 through 7.2 are affected by a path disclosure vulnerability. The issue occurs in several PHP files where parameters are processed with htmlspecialchars() or addslashes() without validating that the input is a string. In e/admin/tool/ShowPic.php, parameters picurl, pic_width, pic_height, and url are passed directly to htmlspecialchars(). In e/class/connect.php, the variable $val is processed by addslashes() (v6.6) or htmlspecialchars() (v7.0 and v7.2). When an array value is supplied instead of a string, PHP's type mismatch error message reveals the full server file path [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attacker sends an HTTP GET request to the vulnerable script with one or more parameters submitted as an array (e.g., picurl[]=kongxin). The server returns a PHP error message displaying the complete physical path, such as /www/e/admin/tool/ShowPic.php on line 4. No special privileges or user interaction are required [1].

Impact

The attacker gains information disclosure: the exact server file path is leaked. This can aid in further attacks by revealing the directory structure, potential web root location, or environment details. No data integrity or availability is affected directly, but the information can be leveraged for more targeted exploitation [1].

Mitigation

As of the available references, no official patch has been released by EmpireCMS. Users should upgrade to the latest supported version if available, or manually validate that all input parameters are strings before passing them to htmlspecialchars() or addslashes(). Alternatively, disable PHP error display to prevent path leakage in production environments. The vulnerability is listed in the referenced research, but not in CISA KEV as of this writing [1].