Closed robert6661 closed 4 years ago
Homebox download the latest version of PHP, from Stretch, when installing. Actually, 7.0+49.
This vulnerability has been fixed both in Stretch and Buster: https://security-tracker.debian.org/tracker/CVE-2019-11043.
It does when you install it for the first time but after that you have to manually update PHP.
https://bugs.php.net/bug.php?id=78599
Exploit is available here
I think by default homebox comes with PHP 7.0, which is vulnerable.