From 8e3d9c97ce604d0f2402c25ef4c4cdbfb73019d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= <krzysztof.zajac@cert.pl>
Date: Mon, 25 Sep 2023 16:24:23 +0200
Subject: [PATCH] ZZZCMS RCE is a false positive if we see phpinfo() without
 posting any data

---
 http/cves/2019/CVE-2019-9041.yaml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/http/cves/2019/CVE-2019-9041.yaml b/http/cves/2019/CVE-2019-9041.yaml
index cef42a950c..9cfe4a4be4 100644
--- a/http/cves/2019/CVE-2019-9041.yaml
+++ b/http/cves/2019/CVE-2019-9041.yaml
@@ -23,6 +23,13 @@ info:
   tags: cve,cve2019,zzzcms,rce,edb
 
 http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/search/"
+
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+
   - method: POST
     path:
       - "{{BaseURL}}/search/"
@@ -36,7 +43,13 @@ http:
     matchers-condition: and
     matchers:
       - type: word
-        part: body
+        part: body_1
+        words:
+          - "phpinfo"
+        negative: true
+
+      - type: word
+        part: body_2
         words:
           - "phpinfo"
           - "PHP Version"