cbcvebase.
CVE-2010-4335
published 2011-01-14

CVE-2010-4335: The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.20%
98.9th percentile
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.

Affected

12 ranges
VendorProductVersion rangeFixed in
cakefoundationcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp
cakephpcakephp>= 0 < 1.3.2-1.11.3.2-1.1
cakephpcakephp>= 1.2.8 < 1.3.61.3.6
debiancakephp< cakephp 1.3.2-1.1 (bullseye)cakephp 1.3.2-1.1 (bullseye)

Detection & IOCsextracted from sources · hover to see the quote

pathlibs/controller/components/security.php
urlhttp://packetstormsecurity.org/files/view/95847/burnedcake.py.txt
commanddata%5b_Token%5d%5bkey%5d=<key>&data%5b_Token%5d%5bfields%5d=<fields><rot13+urlencoded serialized App object>
  • Alert on writes to the CakePHP persistent cache file 'cake_core_file_map' (typically at tmp/cache/persistent/) from web process context, as the exploit corrupts this file to achieve arbitrary local file inclusion via the file_map cache key.
  • Look for POST body parameters containing URL-encoded brackets for '_Token' fields: 'data%5b_Token%5d%5bfields%5d' — this is the specific parameter targeted by the exploit.
  • The exploit abuses PHP's __destruct magic method on the CakePHP App class to write attacker-controlled values into Cache::write('file_map', ..., '_cake_core_'). Monitor for unexpected modifications to the _cake_core_ cache store.
  • ·The exploit requires the CakePHP Security component to be active on the targeted controller/action. Applications not using the Security component are not vulnerable via this attack path.
  • ·The exploit leverages CakePHP's default file-based caching system. Deployments using a non-file-based cache backend (e.g., Memcache, APC) may limit or alter the exploitability of the file_map corruption technique.
  • ·PHP's magic_quotes_gpc (enabled by default in older PHP installs) may escape quotes in the POST payload, which the Metasploit module notes as a potential bad-character concern for payload construction.
  • ·The vulnerability was patched in CakePHP versions 1.3.6 and 1.2.9; Debian bullseye resolved it in package version 1.3.2-1.1.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.