| Title | Boyun Boyun PHPCMS <=1.4.20 Pre-Auth config injection |
|---|
| Description | A critical remote code execution (RCE) vulnerability exists in install/install_ok.php of Boyun Web CMS (≤1.4.20), where user-supplied database credentials—such as the database password—are directly written to the configuration file without proper sanitization. By injecting malicious PHP code into the database password field during installation, an attacker can cause the application to write executable code into application/database.php, which will be executed on subsequent requests, leading to full server compromise. |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/6wemW8CnOMbu |
|---|
| User | YELEIPENG (UID 73615) |
|---|
| Submission | 06/26/2025 05:30 (10 months ago) |
|---|
| Moderation | 07/05/2025 19:39 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 315015 [BoyunCMS up to 1.4.20 Configuration File /install/install_ok.php db_pass code injection] |
|---|
| Points | 20 |
|---|