CVE-2018-19246 Information
Feb 14, 2021
cve
Description
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default \pre-installed version\ (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place and this value can be easily used to calculate the authorization data needed for local file inclusion.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Reference
https://github.com/Athlon1600/php-proxy-app/issues/134 https://www.exploit-db.com/exploits/45861/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
7.5
Share on: