CVE-2018-19458

HIGH NUCLEI

php-proxy 3.0.3 - Unauthenticated Local File Inclusion via index.php q Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-19458. PoCs published by AkkuS. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Proxy 3.0.3 by leveraging the 'q' parameter in index.php to read arbitrary files from the server via the file:/// wrapper. The PoC sends a crafted HTTP request to retrieve the contents of a specified file.

Description

In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.

Exploits (1)

exploitdb WORKING POC
by AkkuS · pythonwebappsphp
https://www.exploit-db.com/exploits/45780

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Proxy 3.0.3 by leveraging the 'q' parameter in index.php to read arbitrary files from the server via the file:/// wrapper. The PoC sends a crafted HTTP request to retrieve the contents of a specified file.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHP-Proxy v3.0.3
No auth needed
Prerequisites: Target server running PHP-Proxy 3.0.3 · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

PHP Proxy 3.0.3 - Local File Inclusion
HIGHby daffainfo

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://pentest.com.tr/exploits/PHP-Proxy-3-0-3-Local-File-Inclusion.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45780/

Scores

CVSS v3 7.5
EPSS 0.7944
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-287
Status published
Products (2)
athlon1600/php-proxy-app 0Packagist
php-proxy/php-proxy 3.0.3
Published Nov 22, 2018
Tracked Since Feb 18, 2026