cbcvebase.
CVE-2009-4140
published 2009-12-22

CVE-2009-4140: Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.84%
99.5th percentile
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianmatomo
matomomatomo
matomomatomo
matomomatomo
teethgrinder.co.ukopen_flash_chart

Detection & IOCsextracted from sources · hover to see the quote

pathofc_upload_image.php
pathtmp-upload-images/
path/openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php
path/openemr/library/openflashchart/tmp-upload-images/joxypoxy.php
filenamejoxypoxy.php
pathadministrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/
pathadministrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php
command?cmd=system('id');
  • Detect POST requests to ofc_upload_image.php with a 'name' parameter containing a .php extension — this is the upload vector for arbitrary PHP file creation.
  • Monitor GET requests to tmp-upload-images/ directory for .php file execution following a POST to ofc_upload_image.php — this two-step pattern (upload then execute) is the exploitation sequence.
  • Alert on HTTP response bodies containing 'Saving your image to' from ofc_upload_image.php — this string confirms the vulnerable component is present and active.
  • Flag POST requests where Content-Type is 'text/plain' directed at ofc_upload_image.php — exploits use this non-standard content type to deliver raw PHP payload via HTTP_RAW_POST_DATA.
  • Use the Google dork to identify exposed instances: search for the OpenFlashChart path under Joomla CiviCRM installations.
  • ·The vulnerability is only exploitable when PHP's register_globals is enabled — systems with register_globals disabled are not affected by this specific attack vector.
  • ·The OpenEMR variant of this vulnerability requires no authentication, unlike the base CVE which requires authenticated users — detection rules should account for both authenticated and unauthenticated exploitation attempts depending on the target application.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.