FuelPHP vulnerable to remote code execution


FuelPHP is a PHP web framework for creating web applications. FuelPHP applications contain an issue in the Request_Curl class, which may result in arbitrary code execution.

Masaaki Chida of GREE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

FuelPHP applications that are created using the following versions are affected:

  • FuelPHP versions 1.1 through 1.7.1


When specially crafted input is processed, arbitrary files may be deleted or arbitrary code may be executed on the application server.

[Update to the latest version of the framework and address any applications that use the Request_Curl class]
Update the framework to the latest version according to the information provided by the developer.
After updating, search for all controllers in the application that use the Request_Curl class. For each instance found, verify if the response from the cURL call can be trusted. If so, auto formatting can be enabled on the instance manually. If not, validation code needs to be added to validate the response received after executing the request. After succesful validation auto formatting can be enabled and set_response() can be called manually to construct the response in the correct format.

The developer has provided documentation on the safety implications of these settings.
Vendor Information

CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-1999

  1. JVN : JVN#94791545
  2. National Vulnerability Database (NVD) : CVE-2014-1999
Revision History

  • [2014/07/18]
      Web page was published
      References : Content was added