CVE-2018-7490 in uWSGIinfo

Summary

by MITRE

uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/09/2025

The vulnerability identified as CVE-2018-7490 affects uWSGI versions prior to 2.0.17 and represents a critical directory traversal flaw within the PHP document root handling mechanism. This vulnerability specifically manifests when the --php-docroot option is utilized, creating a scenario where the application fails to properly validate or sanitize the DOCUMENT_ROOT parameter, thereby allowing malicious actors to manipulate file access patterns. The flaw resides in the application server's processing of PHP requests and demonstrates a classic improper input validation issue that can be exploited to access restricted files outside the intended document root directory.

The technical implementation of this vulnerability stems from insufficient boundary checking and validation within the uWSGI core module responsible for handling PHP requests. When the --php-docroot option is configured, the system should enforce strict boundaries on file access within the designated directory structure. However, due to inadequate sanitization of the DOCUMENT_ROOT variable, attackers can craft malicious requests that bypass these boundaries through directory traversal sequences such as ../ or ..\.. The vulnerability operates at the application layer and can be exploited through HTTP requests that manipulate the document root parameter, potentially leading to unauthorized file access, information disclosure, and in some cases, remote code execution depending on the server configuration and file permissions.

The operational impact of CVE-2018-7490 extends beyond simple information disclosure to potentially enable more severe attacks within web application environments. An attacker exploiting this vulnerability can access sensitive files such as configuration files, database credentials, application source code, and other privileged information that should remain restricted to authorized users only. This flaw particularly affects web applications hosted on uWSGI servers that utilize PHP processing and have configured the --php-docroot option, making it a significant concern for organizations running PHP web applications in production environments. The vulnerability can be exploited by appending directory traversal sequences to file paths in HTTP requests, potentially allowing attackers to read arbitrary files on the server filesystem and undermining the security boundaries established by the web application architecture.

Mitigation strategies for CVE-2018-7490 primarily focus on immediate software updates and configuration hardening measures. Organizations should upgrade to uWSGI version 2.0.17 or later, which includes proper validation of the DOCUMENT_ROOT parameter and implements robust boundary checking for the --php-docroot option. Additionally, system administrators should implement strict input validation at the application level, ensuring that all user-supplied parameters are properly sanitized and validated before processing. Network-level mitigations such as web application firewalls can provide additional protection by filtering suspicious directory traversal patterns in HTTP requests. The vulnerability aligns with CWE-22 - Improper Limiting of a Pathname to a Restricted Directory and can be mapped to ATT&CK technique T1083 - File and Directory Discovery, as it enables adversaries to enumerate and access files outside the intended document root. Organizations should also conduct regular security assessments of their web application environments to identify and remediate similar path traversal vulnerabilities in other components of their infrastructure.

Reservation

02/26/2018

Disclosure

02/26/2018

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.69907

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!