CVE-2011-0518
published 2011-01-20CVE-2011-0518: Directory traversal vulnerability in core/lib/router.php in LotusCMS Fraise 3.0, when magic_quotes_gpc is disabled, allows remote attackers to include and…
PriorityP342medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
15.83%
96.5th percentile
Directory traversal vulnerability in core/lib/router.php in LotusCMS Fraise 3.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via the system parameter to index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lotuscms | fraise | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit POSTs to index.php with a 'page' parameter containing PHP injection payload using eval(); detect POST requests to index.php where the 'page' parameter contains PHP code patterns such as ');${system( or similar eval-injectable strings. ↗
- →The LFI vector uses the 'system' parameter in index.php to traverse directories via 'core/plugs/<system>Starter.php'; detect GET/POST requests to index.php where the 'system' parameter contains directory traversal sequences (e.g., ../). ↗
- →Log poisoning technique: attacker sends a crafted GET request with PHP shell code in the URI path (between hazStart and hazEnd markers) to poison Apache access logs, then includes the log via LFI; monitor for GET requests containing PHP tags in the URI. ↗
- →Blog comment injection: attacker posts PHP shell code in the 'name' field of a blog comment (system=Blog), which is written to a .txt file under data/modules/Blog/data/comments/; monitor POST requests to index.php with system=Blog and PHP code in the name field. ↗
- →Nuclei detection: a successful RCE probe returns HTTP 200 with the MD5 string '38ee63071a04dc5e04ed22624c38e648' in the response body (md5 of 'lotuscms_rce\n'). ↗
- ·The LFI vulnerability (via the 'system' parameter) only works when magic_quotes_gpc is disabled in php.ini; if magic_quotes_gpc is enabled, directory traversal sequences will be escaped and the attack will fail. ↗
- ·The exploit was developed and tested against Apache 2.2.14 / PHP 5.3.2 with magic_quotes_gpc = Off; behavior may differ on other configurations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote Code Execution
exploitdb·2011-01-10
CVE-2011-0518 Lotus CMS Fraise 3.0 - Local File Inclusion / Remote Code Execution
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote Code Execution
---
#!/usr/bin/python
# Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
# greetz Tecr0C :0)
#
# Vuln: lines 15-23 in core/lib/router.php
#---------- sof
# //Get page request (if any)
# $page = $this->getInputString("page", "index");
#
# //Get plugin request (if any)
# $plugin = $this->getInputString("system", "Page");
#
# //If there is a request for a plugin
# if(file_exists("core/plugs/".$plugin."Starter.php")){
# //Include Page fetcher
# include("core/plugs/".$plugin."Starter.php");
# --------- eof
#
# Additionally, the CMS allows an attacker to comment on blog posts which inturn will
# write a file on the remote disk with possibly 'malicious' content inside.
#
# exploit includes:
# - Proxy support
# - Dynami
Metasploit
LotusCMS 3.0 eval() Remote Command Execution
metasploit
LotusCMS 3.0 eval() Remote Command Execution
LotusCMS 3.0 eval() Remote Command Execution
This module exploits a vulnerability found in Lotus CMS 3.0's Router() function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a 'page' parameter from the default page, or manually specify one in the URI option. To use the automatic method, please supply the URI with just a directory path, for example: "/lcms/". To manually configure one, you may do: "/lcms/somepath/index.php?page=index"
Nuclei
LotusCMS 3.0 - Remote Code Execution
nuclei·CVSS 5.1
CVE-2011-0518 [MEDIUM] LotusCMS 3.0 - Remote Code Execution
LotusCMS 3.0 - Remote Code Execution
LotusCMS 3.0 is susceptible to remote code execution via the Router () function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution.
Template:
id: CVE-2011-0518
info:
name: LotusCMS 3.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: |
LotusCMS 3.0 is susceptible to remote code execution via the Router () function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution.
impact: |
Remote attackers can include and execute arbitrary local files, potentially leading to remote code execution or full system compromise.
remediation: |
Enable magic_quotes_gpc or sanitize 'system' param
No writeups or analysis indexed.
http://osvdb.org/70409http://secunia.com/advisories/42835http://www.exploit-db.com/exploits/15964http://www.vupen.com/english/advisories/2011/0073https://exchange.xforce.ibmcloud.com/vulnerabilities/64736http://osvdb.org/70409http://secunia.com/advisories/42835http://www.exploit-db.com/exploits/15964http://www.vupen.com/english/advisories/2011/0073https://exchange.xforce.ibmcloud.com/vulnerabilities/64736
2011-01-20
Published