CVE-2010-4335
published 2011-01-14CVE-2010-4335: The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.20%
98.9th percentile
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cakefoundation | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | — | — |
| cakephp | cakephp | >= 0 < 1.3.2-1.1 | 1.3.2-1.1 |
| cakephp | cakephp | >= 1.2.8 < 1.3.6 | 1.3.6 |
| debian | cakephp | < cakephp 1.3.2-1.1 (bullseye) | cakephp 1.3.2-1.1 (bullseye) |
Detection & IOCsextracted from sources · hover to see the quote
commanddata%5b_Token%5d%5bkey%5d=<key>&data%5b_Token%5d%5bfields%5d=<fields><rot13+urlencoded serialized App object>↗
- →Alert on writes to the CakePHP persistent cache file 'cake_core_file_map' (typically at tmp/cache/persistent/) from web process context, as the exploit corrupts this file to achieve arbitrary local file inclusion via the file_map cache key. ↗
- →Look for POST body parameters containing URL-encoded brackets for '_Token' fields: 'data%5b_Token%5d%5bfields%5d' — this is the specific parameter targeted by the exploit. ↗
- →The exploit abuses PHP's __destruct magic method on the CakePHP App class to write attacker-controlled values into Cache::write('file_map', ..., '_cake_core_'). Monitor for unexpected modifications to the _cake_core_ cache store. ↗
- ·The exploit requires the CakePHP Security component to be active on the targeted controller/action. Applications not using the Security component are not vulnerable via this attack path. ↗
- ·The exploit leverages CakePHP's default file-based caching system. Deployments using a non-file-based cache backend (e.g., Memcache, APC) may limit or alter the exploitability of the file_map corruption technique. ↗
- ·PHP's magic_quotes_gpc (enabled by default in older PHP installs) may escape quotes in the POST payload, which the Metasploit module notes as a potential bad-character concern for payload construction. ↗
- ·The vulnerability was patched in CakePHP versions 1.3.6 and 1.2.9; Debian bullseye resolved it in package version 1.3.2-1.1. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2010-4335: cakephp - The _validatePost function in libs/controller/components/security.php in CakePHP...
vendor_debian·2010·CVSS 7.5
CVE-2010-4335 [HIGH] CVE-2010-4335: cakephp - The _validatePost function in libs/controller/components/security.php in CakePHP...
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
Scope: local
bullseye: resolved (fixed in 1.3.2-1.1)
GHSA
CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
ghsa·2022-05-17
CVE-2010-4335 [HIGH] CWE-20 CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
The `_validatePost` function in `libs/controller/components/security.php` in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted `data[_Token][fields]` value that is processed by the unserialize function, as demonstrated by modifying the `file_map` cache to execute arbitrary local files.
OSV
CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
osv·2022-05-17
CVE-2010-4335 [HIGH] CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
CakePHP allows remote attackers to modify internal Cake cache and execute arbitrary code
The `_validatePost` function in `libs/controller/components/security.php` in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted `data[_Token][fields]` value that is processed by the unserialize function, as demonstrated by modifying the `file_map` cache to execute arbitrary local files.
OSV
CVE-2010-4335: The _validatePost function in libs/controller/components/security
osv·2011-01-14·CVSS 7.5
CVE-2010-4335 [HIGH] CVE-2010-4335: The _validatePost function in libs/controller/components/security
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
No detection rules found.
Exploit-DB
CakePHP 1.3.5/1.2.8 - 'Unserialize()' File Inclusion
exploitdb·2011-01-18
CVE-2010-4335 CakePHP 1.3.5/1.2.8 - 'Unserialize()' File Inclusion
CakePHP 1.3.5/1.2.8 - 'Unserialize()' File Inclusion
---
Source: http://securityreason.com/securityalert/8026
CakePHP data;
$token = urldecode($check['_Token']['fields']);
if (strpos($token, ':')) {
list($token, $locked) = explode(':', $token, 2);
}
$locked = unserialize(str_rot13($locked));
-- snip --
The $check array contains our POST data and $locked is
a simple (rot-13 obfuscated) serialized string, which is completely
under our control.
PHP5 introduces a destructor with the "__destruct" method. Each object
will execute its __destruct method at the end of its lifetime and we can
use this to turn an unchecked unserialize() call in an useful exploit.
(See Stefan Essers talk @
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
for more information)
CakePH
Exploit-DB
CakePHP 1.3.5/1.2.8 - Cache Corruption (Metasploit)
exploitdb·2011-01-14
CVE-2010-4335 CakePHP 1.3.5/1.2.8 - Cache Corruption (Metasploit)
CakePHP 1.3.5/1.2.8 - Cache Corruption (Metasploit)
---
##
# $Id: cakephp_cache_corruption.rb 11579 2011-01-14 16:25:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CakePHP %q{
CakePHP is a popular PHP framework for building web applications.
The Security component of CakePHP is vulnerable to an unserialize attack which
could be abused to allow unauthenticated attackers to execute arbitrary
code with the permissions of the webserver.
},
'Author' =>
[
'tdz',
'Felix Wilhelm', # poc
],
'License' => MSF_LICENSE,
'Version' => '$Revis
Metasploit
CakePHP Cache Corruption Code Execution
metasploit
CakePHP Cache Corruption Code Execution
CakePHP Cache Corruption Code Execution
CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and earlier is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.
No writeups or analysis indexed.
http://malloc.im/CakePHP-unserialize.txthttp://packetstormsecurity.org/files/view/95847/burnedcake.py.txthttp://secunia.com/advisories/42211http://securityreason.com/securityalert/8026http://www.exploit-db.com/exploits/16011http://www.osvdb.org/69352https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cbhttp://malloc.im/CakePHP-unserialize.txthttp://packetstormsecurity.org/files/view/95847/burnedcake.py.txthttp://secunia.com/advisories/42211http://securityreason.com/securityalert/8026http://www.exploit-db.com/exploits/16011http://www.osvdb.org/69352https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb
2011-01-14
Published