New Vulnerability Found in the Decade-Old phpCMS 2008 Can Lead to Fresh WebShell Attacks

By Wu Fan

Content management systems and their owners are frequently victims of attacks due to their ubiquity, rich extensibility through 3rd party plugins, direct exposure to the incoming internet traffic, and inadequate attention to keep the CMS and the systems they run on up-to-date. Due to CMS limitations, custom functionality is often hard-coded, making updates to a newer version of CMS difficult or impossible. In addition, 0day vulnerabilities present a serious threat to anybody running even a well maintained publicly-facing website.

This attack on an outdated phpCMS content management system from 2008 highlights several important lessons. At a minimum, any content management system should be routinely upgraded and maintained, and phpCMS 2008 owners must take an immediate action. Second, any web exposure (a website, or a RESTful API) must be protected with a web firewall, which acts as an umbrella for a variety of exploits and vulnerabilities. Modern web firewalls, such as Alibaba Cloud WAF, provide additional protection that go beyond detecting patterns that can be detected with rigid rules. Finally, Managed Security Service, can be an excellent choice for many organizations to continuously receive high quality professional service to minimize the risks.

The situation with this particular vulnerability is complicated by the fact that many people still running phpCMS 2008 may not realize it, otherwise they would have upgraded long time ago.

Yuriy Yuzifovich,

Head of Security Innovation Labs (S.I.L.) at Alibaba Cloud

On November 4, Alibaba Cloud Security discovered a new attack exploiting the /type.php remote GetShell 0day vulnerability of phpCMS 2008 (CNVD-C-2018–127157/CVE-2018–19127). This vulnerability allows attackers to remotely implant WebShell and can result in serious problems, such as file tampering, data leaks, and remote server control. We recommend that vulnerable users upgrade to the latest phpCMS version as soon as possible.

phpCMS is a popular in China and worldwide open-source Content Management System (CMS).

phpCMS was first launched in 2008 and its latest version is v9.6.3. Due to its stability, flexibility, and open-source nature, phpCMS 2008 is still being used by many websites.

Vulnerability Details

When an attacker sends payload data with the following URI to a website installed with phpCMS 2008:


@unlink(_FILE_);assert($_POST[1]);, this malicious PHP directive is written to the website file /cache_template/rss.tpl.php.

Vulnerability Principles

The vulnerability is located in the /type.php file in the PHPCMS 2008 source code. The file contains the following code:

if(empty($template)) $template = 'type';
include template('phpcms', $template);

where, the $template variable is controlled by input parameters. As you can see, the template() method is included in this variable in subsequent operations. The template() method is defined in the /include/global.func.php file, which includes the following code:

template_compile($module, $template, $istag);

The template_compile() method in /include/template.func.php is called here.

function template_compile($module, $template, $istag = 0)
$compiledtplfile = TPL_CACHEPATH.$module.'_'.$template.'.tpl.php';
$content = ($istag || substr($template, 0, 4) == 'tag_') ? '<?php function _tag_'.$module.'_'.$template.'($data, $number, $rows, $count, $page, $pages, $setting){ global $PHPCMS,$MODULE,$M,$CATEGORY,$TYPE,$AREA,$GROUP,$MODEL,$templateid,$_userid,$_username;@extract($setting);?>'.template_parse($content, 1).'<?php } ?>' : template_parse($content);
$strlen = file_put_contents($compiledtplfile, $content);

In this method, the $template variable is used to generate both the file path in $compiledtplfile and the file content in $content.

In the attack payload mentioned previously, $template is set to the following value:


Therefore, when the file_put_contents() function is called in the template_compile() method, the first parameter is written as data/cache_template/phpcms_tag_(){};@unlink(_FILE_);assert($_POST[1]);{//../rss.tpl.php. PHP resolves this parameter to "data/cache_template/rss.tpl.php".

Finally, @unlink(_FILE_);assert($_POST[1]); is written to this file.

Impact Scope

Already ten years old, phpCMS is still being used by many websites, including government and corporate websites. phpCMS 2008 is still being used by nearly 200 websites according to the network-wide exact search results from FOFA and over 10 thousand websites according to the fuzzy match results.

Exploiting this vulnerability, attackers can write malicious script code to a file with a controllable path and then send WebShell directives to the file to have the server run any code. The impact of this code injection vulnerability can be severe.

Security Recommendations

Manual Repair

A temporary solution is to filter values of the $template variable in the /type.php file. This prevents the inclusion of user-input content that contains “(“, “{“, and other such symbols as well as the processing of such content as path or script content.

However, because phpCMS 2008 is out of date, we recommend that you upgrade it to the latest phpCMS version as soon as possible to guarantee your security.

Security Hardening

  1. Alibaba Cloud Firewall already provides intrusion defenses against this type of vulnerability. You can enable Alibaba Cloud Firewall’s IPS interception mode and virtual patching feature to defend against and intercept attacks that exploit this vulnerability, without having to manually repair it. At the time of writing, Alibaba Cloud Firewall is only available for mainland China accounts. Learn more at
  2. By purchasing Alibaba Cloud Managed Security Service, you can perform security hardening and optimization with the guidance from Alibaba Cloud security experts, which will protect you against this and other subsequent vulnerabilities.


Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store