| Titel | Boyun Boyun PHPCMS <=1.4.20 Pre-Auth config injection |
|---|
| Beschreibung | A critical remote code execution (RCE) vulnerability exists in install/install_ok.php of Boyun Web CMS (≤1.4.20), where user-supplied database credentials—such as the database password—are directly written to the configuration file without proper sanitization. By injecting malicious PHP code into the database password field during installation, an attacker can cause the application to write executable code into application/database.php, which will be executed on subsequent requests, leading to full server compromise. |
|---|
| Quelle | ⚠️ https://note-hxlab.wetolink.com/share/6wemW8CnOMbu |
|---|
| Benutzer | YELEIPENG (UID 73615) |
|---|
| Einreichung | 26.06.2025 05:30 (vor 10 Monaten) |
|---|
| Moderieren | 05.07.2025 19:39 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 315015 [BoyunCMS bis 1.4.20 Configuration File /install/install_ok.php db_pass erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|