cbcvebase.
CVE-2011-0518
published 2011-01-20

CVE-2011-0518: Directory traversal vulnerability in core/lib/router.php in LotusCMS Fraise 3.0, when magic_quotes_gpc is disabled, allows remote attackers to include and…

PriorityP342medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
15.83%
96.5th percentile
Directory traversal vulnerability in core/lib/router.php in LotusCMS Fraise 3.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via the system parameter to index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
lotuscmsfraise

Detection & IOCsextracted from sources · hover to see the quote

url/index.php
url/lcms/index.php
commandpage=index');${system('echo lotuscms_rce | md5sum')};#
other38ee63071a04dc5e04ed22624c38e648
pathcore/lib/router.php
pathcore/plugs/
filenamed8e8fca2dc0f896fd7cb4cb0031ba249.php
path../../data/modules/Blog/data/comments/
  • The exploit POSTs to index.php with a 'page' parameter containing PHP injection payload using eval(); detect POST requests to index.php where the 'page' parameter contains PHP code patterns such as ');${system( or similar eval-injectable strings.
  • The LFI vector uses the 'system' parameter in index.php to traverse directories via 'core/plugs/<system>Starter.php'; detect GET/POST requests to index.php where the 'system' parameter contains directory traversal sequences (e.g., ../).
  • Log poisoning technique: attacker sends a crafted GET request with PHP shell code in the URI path (between hazStart and hazEnd markers) to poison Apache access logs, then includes the log via LFI; monitor for GET requests containing PHP tags in the URI.
  • Blog comment injection: attacker posts PHP shell code in the 'name' field of a blog comment (system=Blog), which is written to a .txt file under data/modules/Blog/data/comments/; monitor POST requests to index.php with system=Blog and PHP code in the name field.
  • Nuclei detection: a successful RCE probe returns HTTP 200 with the MD5 string '38ee63071a04dc5e04ed22624c38e648' in the response body (md5 of 'lotuscms_rce\n').
  • ·The LFI vulnerability (via the 'system' parameter) only works when magic_quotes_gpc is disabled in php.ini; if magic_quotes_gpc is enabled, directory traversal sequences will be escaped and the attack will fail.
  • ·The exploit was developed and tested against Apache 2.2.14 / PHP 5.3.2 with magic_quotes_gpc = Off; behavior may differ on other configurations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.