- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
- CVE-2026-27174: Console eval RCE via missing exit after redirect
- CVE-2026-27175: Command injection via rc/index.php + cycle_execs race condition
- CVE-2026-27180: Supply chain RCE via update URL poisoning in saverestore module
All three modules include documentation with Docker lab setup instructions.
The module have been tested on different version of ChurchCRM (6.8.0 and
6.2.0) prooving it's vulnerability to this exploit. This commit contains
modification of the dockerfile/docker-compose in order to support
multi-version installation.
Removed the broken sed command that doesn't work correctly. Updated note to specify editing /var/www/html/AVideo/videos/configuration.php manually with an editor instead.
Removed mention of automatic sed fix in docker-entrypoint. Updated note to specify that users should manually edit /var/www/html/AVideo/videos/configuration.php if they encounter redirect issues with webSiteRootURL.
Changed HTTP_PORT from 9999 to 80 in the documentation to use the correct URL directly. This fixes the webSiteRootURL issue where AVideo was generating incorrect URLs with the mapped port instead of the container's internal port.
The MariaDB container fails to start with 'Bad magic header in tc log' error
when the data directory has incorrect permissions or was previously corrupted.
This occurs during first-time setup of the AVideo lab environment.
The fix:
- Creates a custom entrypoint script that detects and removes corrupted tc.log
files by checking the magic header (should be 01 00 00 00)
- Modifies Dockerfile.mariadb to integrate the fix script into the original
MariaDB entrypoint using sed
- Ensures the fix runs automatically before MariaDB initialization
This allows the lab to start successfully on first run without manual intervention.
Co-authored-by: bwatters-r7 <bwatters-r7@users.noreply.github.com>
adfoster-r7