CVE-2018-19246: Information Exposure

November 13, 2018 (updated December 13, 2018)

PHP-Proxy allows remote attackers to read local files if the default pre-installed version (intended for users who lack shell access to their web server) is used. This occurs because the app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.

References

nvd.nist.gov/vuln/detail/CVE-2018-19246
www.exploit-db.com/exploits/45861/

Code Behaviors & Features

Detect and mitigate CVE-2018-19246 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →