[INFO] 2026-07-06T15:21:02+00:00 CVE-2026-48939 fix verification starting [INFO] 2026-07-06T15:21:02+00:00 Using cache root: /data/pruva/project-cache/21f75b67-70b1-47d7-9acf-f9f7949378cf/repo [INFO] 2026-07-06T15:21:02+00:00 Host IP: 172.20.0.1 [INFO] 2026-07-06T15:21:02+00:00 Vulnerable package: /data/pruva/project-cache/21f75b67-70b1-47d7-9acf-f9f7949378cf/repo/icagenda-4-0-7-package.zip (2203538 bytes) [INFO] 2026-07-06T15:21:02+00:00 Patch file: /data/pruva/runs/a3928cf6-d9aa-49be-a37a-7ca03155f786/bundle/coding/proposed_fix.diff [INFO] 2026-07-06T15:21:02+00:00 Starting Joomla verification stack on port 18141 Network verify_stack_default Creating Network verify_stack_default Created Container verify_stack-db-1 Creating Container verify_stack-db-1 Created Container verify_stack-joomla-1 Creating Container verify_stack-joomla-1 Created Container verify_stack-db-1 Starting Container verify_stack-db-1 Started Container verify_stack-db-1 Waiting Container verify_stack-db-1 Healthy Container verify_stack-joomla-1 Starting Container verify_stack-joomla-1 Started [INFO] 2026-07-06T15:21:44+00:00 Joomla healthcheck passed [INFO] 2026-07-06T15:21:44+00:00 Installing vulnerable iCagenda 4.0.7 Install Extension ================= [OK] Extension installed successfully. [INFO] 2026-07-06T15:21:48+00:00 Applying proposed fix to installed iCagenda source verify_stack-joomla-1 copy /data/pruva/runs/a3928cf6-d9aa-49be-a37a-7ca03155f786/bundle/coding/proposed_fix.diff to verify_stack-joomla-1:/tmp/proposed_fix.diff Copying verify_stack-joomla-1 copy /data/pruva/runs/a3928cf6-d9aa-49be-a37a-7ca03155f786/bundle/coding/proposed_fix.diff to verify_stack-joomla-1:/tmp/proposed_fix.diff Copied patching file components/com_icagenda/src/Model/SubmitModel.php [INFO] 2026-07-06T15:21:48+00:00 Patch applied successfully AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message [INFO] 2026-07-06T15:21:48+00:00 Configuring iCagenda public submit form mysql: [Warning] Using a password on the command line interface can be insecure. [INFO] 2026-07-06T15:21:49+00:00 Menu itemid=112, category catid=1 [INFO] 2026-07-06T15:21:49+00:00 CSRF token extracted [INFO] 2026-07-06T15:21:49+00:00 Submitting PHP attachment (should be blocked) [INFO] 2026-07-06T15:21:49+00:00 Files after PHP upload attempt: attachments directory absent [INFO] 2026-07-06T15:21:49+00:00 PHP shell fetch returned HTTP 404 [INFO] 2026-07-06T15:21:49+00:00 PHP upload was blocked as expected [INFO] 2026-07-06T15:21:49+00:00 Submitting legitimate text attachment (should succeed) [INFO] 2026-07-06T15:21:50+00:00 Files after text upload attempt: index.html 47 bytes verify-legit.txt 33 bytes [INFO] 2026-07-06T15:21:50+00:00 Legit attachment fetch returned HTTP 200 [INFO] 2026-07-06T15:21:50+00:00 Legitimate text attachment uploaded and retrieved successfully [INFO] 2026-07-06T15:21:50+00:00 CVE-2026-48939 fix verification PASSED: PHP upload blocked, legitimate upload works