Miggo Logo
Miggo Vulnerability Database
CVE-2018-19246

CVE-2018-19246: LFI in PHP-Proxy 5.1.0

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-19246
GHSA ID
GHSA-pc5h-m95g-v6rh
EPSS Score
0.97536%
CWE
CWE-200
Published
5/14/2022
Updated
7/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
athlon1600/php-proxycomposer<= 5.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of a hardcoded default app_key in config.php, which combines with the client IP to generate an encryption key via md5(). The str_rot_pass function uses this key to process URL parameters. Attackers can reverse-engineer the encryption process using the known default app_key to create valid authorization data for local file inclusion. The exploit code explicitly shows str_rot_pass being used to generate the malicious payload, confirming its role in the vulnerability chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*P-Proxy *.*.* *llows r*mot* *tt**k*rs to r*** lo**l *il*s i* t** ****ult "pr*-inst*ll** v*rsion" (int*n*** *or us*rs w*o l**k s**ll ****ss to t**ir w** s*rv*r) is us**. T*is o**urs ****us* t** `********************************` *pp_k*y v*lu* *rom t

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* * **r**o*** ****ult *pp_k*y in *on*i*.p*p, w*i** *om*in*s wit* t** *li*nt IP to **n*r*t* *n *n*ryption k*y vi* m**(). T** str_rot_p*ss *un*tion us*s t*is k*y to pro**ss URL p*r*m*t*rs. *tt**k*rs **n r*v*rs*-*n*