CVE-2024-12900 Overview
CVE-2024-12900 is a code injection vulnerability in FoxCMS versions up to 1.2, developed by Qianfox. The flaw resides in the /install/installdb.php file, which is part of the Configuration File Handler component. Attackers can manipulate the database password argument to inject arbitrary code into generated configuration files. The vulnerability is exploitable remotely and requires low privileges. Public disclosure of exploitation details increases the risk of opportunistic attacks against exposed FoxCMS installations.
Critical Impact
Remote attackers with low privileges can inject code through the database password parameter during installation, potentially leading to arbitrary code execution within the FoxCMS application context.
Affected Products
- Qianfox FoxCMS versions up to and including 1.2
- Component: Configuration File Handler (/install/installdb.php)
- CPE: cpe:2.3:a:qianfox:foxcms:*:*:*:*:*:*:*:*
Discovery Timeline
- 2024-12-23 - CVE-2024-12900 published to NVD
- 2025-07-15 - Last updated in NVD database
Technical Details for CVE-2024-12900
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-supplied input during the FoxCMS installation process. The installdb.php script accepts database configuration values, including the database password, and writes them into a PHP configuration file. The application fails to sanitize or escape this input before embedding it. As a result, attackers can craft a password value that breaks out of the string context and injects executable PHP code into the resulting configuration file.
The weakness aligns with CWE-94: Improper Control of Generation of Code and CWE-74: Improper Neutralization of Special Elements. Once the malicious configuration file is written, subsequent inclusion of that file by FoxCMS executes the attacker-controlled code. Public exploit details are referenced in the Zhao Jin Note Sharing writeup.
Root Cause
The root cause is the direct concatenation of unsanitized user input into a PHP file template. The installer trusts the database password field and inserts it verbatim into the generated configuration, treating untrusted input as trusted code structure.
Attack Vector
Attackers reach the vulnerable endpoint over the network by sending a crafted HTTP request to /install/installdb.php. A malicious payload supplied in the database password parameter is written into the configuration file. When FoxCMS subsequently loads the configuration, the injected PHP executes within the web server context. The attack requires the installer to be accessible, which is common on exposed or unfinished deployments.
No verified proof-of-concept code is published in the referenced repositories. See the VulDB entry for additional technical context.
Detection Methods for CVE-2024-12900
Indicators of Compromise
- Unexpected HTTP POST requests to /install/installdb.php on production FoxCMS hosts
- PHP configuration files within the FoxCMS directory containing unusual characters such as backticks, quotes, or <?php markers in password fields
- Web server processes spawning shell commands shortly after access to the installer path
Detection Strategies
- Inspect web access logs for requests to installation endpoints after initial deployment is complete
- Review generated FoxCMS configuration files for syntactic anomalies in database credential fields
- Hunt for outbound connections from the web server originating after installer access
Monitoring Recommendations
- Alert on any access to /install/ paths on production FoxCMS instances
- Monitor file integrity for configuration files written by the installer
- Track PHP process executions that deviate from the established application baseline
How to Mitigate CVE-2024-12900
Immediate Actions Required
- Remove or restrict access to the /install/ directory on all production FoxCMS hosts immediately after setup
- Audit existing FoxCMS configuration files for injected PHP code and restore from known-good backups if tampering is found
- Block external access to installation endpoints at the web server or WAF layer
Patch Information
No vendor advisory or patched version has been published in the referenced sources at the time of NVD publication. Operators should monitor the Qianfox FoxCMS project channels for an official fix and apply it as soon as available.
Workarounds
- Delete the /install/ directory after initial deployment to eliminate the attack surface
- Apply web server access controls that restrict installation paths to specific administrative IP addresses
- Validate and sanitize configuration inputs manually if the installer must remain accessible during deployment
# Example Apache configuration to block access to the installer
<Directory "/var/www/foxcms/install">
Require all denied
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
