CVE-2019-9002
Description
An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the database_host parameter if the installer remains present in its original directory after installation is completed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: bugs_132, v1, v1.2, …
Patches
Vulnerability mechanics
Root cause
"The installer script `config-setup.php` is not removed after installation, allowing remote code execution via the `database_host` parameter."
Attack vector
An attacker can exploit this vulnerability if the installer script `config-setup.php` remains on the server after the initial installation. The attacker can then send a POST request to the installer, providing a malicious PHP payload in the `database_host` parameter. This payload will be executed by the server, leading to remote code execution. The vulnerability is present in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c [ref_id=1].
Affected code
The vulnerability lies within the `install/config-setup.php` script. Specifically, the script processes POST data, including the `database_host` parameter, without proper validation or removal after installation. The patch modifies the script to include a check for the existence of `config-setup.php` and removes it upon successful completion of the installation process [ref_id=1].
What the fix does
The patch removes the `config-setup.php` file after the installation process is completed. This prevents the installer script from being accessible to remote attackers after the initial setup. By deleting the file, the opportunity to submit malicious input via the `database_host` parameter is eliminated, thereby closing the vulnerability [ref_id=1].
Preconditions
- configThe application must be installed, and the installer script `install/config-setup.php` must still be present on the server.
- networkThe attacker must have network access to the web server hosting the vulnerable application.
- inputThe attacker must be able to send a POST request to the installer with a crafted `database_host` parameter containing a PHP payload.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/mikelbring/tinyissue/issues/237mitrex_refsource_MISC
- github.com/pixeline/bugs/commit/9d2d3fcdea22e94f7b497f6ed83791ab3a31ee41mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.