CVE-2019-9182 in zzzphp
Summary
by MITRE
There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/08/2025
The vulnerability identified as CVE-2019-9182 affects ZZZCMS zzzphp version 1.6.1 and represents a critical cross-site request forgery flaw that enables unauthorized code execution. This vulnerability resides within the administrative interface at the /admin015/save.php endpoint with the act=editfile parameter, creating a dangerous attack vector that bypasses standard authentication mechanisms. The flaw stems from inadequate validation of user-supplied input, specifically in how the system processes filename and file content parameters without proper sanitization or authorization checks. The vulnerability is categorized under CWE-352, which specifically addresses Cross-Site Request Forgery, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as it allows for PHP code injection through file manipulation. The attack surface is particularly concerning because it operates within the administrative context of the CMS, providing attackers with elevated privileges to modify system files.
The technical implementation of this vulnerability exploits the lack of proper anti-CSRF token validation within the administrative file editing functionality. When an authenticated administrator performs a file edit operation, the system fails to verify the authenticity of the request origin, allowing malicious actors to craft forged requests that appear legitimate. The file parameter accepts arbitrary filenames which can include directory traversal sequences, while the filetext parameter contains the actual payload that gets written to the specified file location. This dual-parameter injection approach enables attackers to inject malicious PHP code into system files, potentially compromising the entire web application and underlying server infrastructure. The vulnerability essentially transforms a legitimate administrative function into a code execution primitive, as demonstrated by the ability to write arbitrary PHP content to files within the web root or application directories.
The operational impact of CVE-2019-9182 extends far beyond simple data manipulation, as successful exploitation can result in complete system compromise and persistent backdoor access. An attacker who successfully exploits this vulnerability can deploy web shells, modify core application files, steal sensitive data, or establish persistent access points within the target environment. The consequences include potential data breaches, service disruption, and lateral movement within network environments where the compromised CMS instance resides. This vulnerability particularly affects organizations that rely on ZZZCMS for content management, as it provides a direct path to system compromise without requiring advanced exploitation techniques or specialized knowledge of the underlying system architecture. The impact is amplified by the fact that the vulnerability exists in the administrative interface, which typically requires elevated privileges and represents a critical attack surface that should be protected with robust security controls.
Mitigation strategies for CVE-2019-9182 must address both the immediate vulnerability and strengthen overall security posture. Organizations should implement proper anti-CSRF token validation across all administrative endpoints, ensuring that each request contains a unique, unpredictable token that validates the user's intent. The system should enforce strict input validation and sanitization for all user-supplied parameters, particularly those related to file paths and content. Implementing proper access controls and monitoring administrative activities can help detect unauthorized file modifications. Security updates from the vendor should be applied immediately, as this vulnerability has been addressed in subsequent releases. Network segmentation and web application firewalls can provide additional layers of protection by monitoring and filtering suspicious requests to administrative endpoints. The implementation of principle of least privilege should ensure that administrative functions are only accessible from trusted networks and require multi-factor authentication. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the web application stack, as this flaw demonstrates the importance of validating all user inputs and implementing proper authorization controls in administrative interfaces.