CVE-2011-4075
published 2011-11-02CVE-2011-4075: The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter…
PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.89%
98.8th percentile
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpldapadmin | < phpldapadmin 1.2.0.5-2.1 (bookworm) | phpldapadmin 1.2.0.5-2.1 (bookworm) |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | — | — |
| phpldapadmin_project | phpldapadmin | >= 0 < 1.2.0.5-2.1 | 1.2.0.5-2.1 |
| phpldapadmin_project | phpldapadmin | >= 0 < 1.2.0.5-2.1 | 1.2.0.5-2.1 |
| phpldapadmin_project | phpldapadmin | >= 0 < 1.2.0.5-2.1 | 1.2.0.5-2.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandcmd=query_engine&query=none&search=1&orderby=foo));}}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;/*↗
commandcmd=query_engine&query=none&search=1&orderby=<RAND>));}}error_reporting(0);eval(base64_decode($_SERVER[HTTP_<HEADER>]));die;/*↗
- →Detect POST requests to cmd.php containing 'cmd=query_engine' with an 'orderby' parameter value containing PHP injection patterns such as '}}error_reporting' or 'passthru' or 'eval(base64_decode' ↗
- →Look for HTTP requests to cmd.php with POST body containing 'cmd=query_engine' and 'orderby' values containing closing braces/parentheses followed by PHP function calls (e.g. '}}', 'passthru', 'eval', 'base64_decode'), indicating create_function() injection ↗
- →Fingerprint vulnerable phpLDAPadmin versions by matching the response body against the pattern /phpLDAPadmin \(1\.2\.[0|1]\.\d/i in HTTP responses ↗
- ·The exploit requires a valid session cookie obtained from the target phpLDAPadmin instance before the injection payload can be delivered; unauthenticated exploitation is not possible without first harvesting a session ID. ↗
- ·The fix uses a whitelist regex on the orderby/sortby parameter before passing it to create_function(); detection rules targeting the raw injection string may not fire against patched versions (1.2.2+). ↗
- ·The Metasploit module randomises both the injected function name prefix and the custom HTTP header name carrying the payload, so static string signatures on those values will not reliably detect all exploit attempts. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5h4f-2c6r-8cj3: The masort function in lib/functions
ghsa_unreviewed·2022-05-13
CVE-2011-4075 [HIGH] CWE-94 GHSA-5h4f-2c6r-8cj3: The masort function in lib/functions
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.
OSV
CVE-2011-4075: The masort function in lib/functions
osv·2011-11-02·CVSS 7.5
CVE-2011-4075 [HIGH] CVE-2011-4075: The masort function in lib/functions
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.
VulnCheck
phpldapadmin_project phpldapadmin Improper Control of Generation of Code ('Code Injection')
vulncheck·2011·CVSS 7.5
CVE-2011-4075 [HIGH] phpldapadmin_project phpldapadmin Improper Control of Generation of Code ('Code Injection')
phpldapadmin_project phpldapadmin Improper Control of Generation of Code ('Code Injection')
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.
Affected: phpldapadmin_project phpldapadmin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/cve-2011-4075; https://www.cve.org/CVERecord?id=CVE-2011-4075
Debian
CVE-2011-4075: phpldapadmin - The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allo...
vendor_debian·2011·CVSS 7.5
CVE-2011-4075 [HIGH] CVE-2011-4075: phpldapadmin - The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allo...
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.
Scope: local
bookworm: resolved (fixed in 1.2.0.5-2.1)
forky: resolved (fixed in 1.2.0.5-2.1)
sid: resolved (fixed in 1.2.0.5-2.1)
trixie: resolved (fixed in 1.2.0.5-2.1)
No detection rules found.
Exploit-DB
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (Metasploit) (2)
exploitdb·2011-10-25
CVE-2011-4075 phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (Metasploit) (2)
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (Metasploit) (2)
---
##
# $Id: phpldapadmin_query_engine.rb 14060 2011-10-25 05:25:39Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'phpLDAPadmin %q{
This module exploits a vulnerability in the lib/functions.php that allows
attackers input parsed directly to the create_function() php function. A patch was
issued that uses a whitelist regex expression to check the user supplied input
before being parsed to the create_function() call.
},
'Author' =>
[
'EgiX ', # original discovery/po
Exploit-DB
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
exploitdb·2011-10-23
CVE-2011-4075 phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
---
$key)) {\n";
1018. $code .= " asort(\$a->$key);\n";
1019. $code .= " \$aa = array_shift(\$a->$key);\n";
....
1078. $code .= 'return $c;';
1079.
1080. $CACHE[$sortby] = create_function('$a, $b',$code);
1081. }
The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()
at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling
the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.
[-] Disclosure timeline:
[30/09/2011] - Vulnerability discovered
[02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=341
Metasploit
phpLDAPadmin query_engine Remote PHP Code Injection
metasploit
phpLDAPadmin query_engine Remote PHP Code Injection
phpLDAPadmin query_engine Remote PHP Code Injection
This module exploits a vulnerability in the lib/functions.php for phpLDAPadmin versions 1.2.1.1 and earlier that allows attackers input parsed directly to the create_function() php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parsed to the create_function() call.
Bugzilla
CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8
bugzilla·2011-10-27·CVSS 7.5
CVE-2011-4082 [HIGH] CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8
CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8
A local file inclusion flaw was found in the way the phpLDAPadmin, a web based LDAP client for managing LDAP servers, processed certain values of the "Accept-Language" HTTP header. A remote attacker could use this flaw to cause a denial of service (generate recursive inclusions leading to resource exhaustion) via specially-crafted request.
Note: A different issue than CVE-2011-4075 (due the different attack vector and different source code file in question).
References:
http://www.securityfocus.com/bid/50328/info
http://www.securityfocus.com/data/vulnerabilities/exploits/50328.java
This was corrected in phpLDAPAdmin 0.9.8.5 and was assigned the name CVE-2011-4082.
Discussion:
Created phpldapadmin tracking bugs for
Bugzilla
CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilities in <= 1.2.1.1
bugzilla·2011-10-24·CVSS 4.3
CVE-2011-4074 [MEDIUM] CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilities in <= 1.2.1.1
CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilities in <= 1.2.1.1
Two flaws were reported [1],[2],[3] in phpLDAPAdmin 1.2.1.1 and probably earlier versions.
1) Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to "query_engine", "query" is set to "none", and "search" is set to e.g. "1") is not properly sanitised in lib/functions.php before being used in a "create_function()" function call. This can be exploited to inject and execute arbitrary PHP code.
Both issues are fixed in git: iss
http://dev.metasploit.com/redmine/issues/5820http://openwall.com/lists/oss-security/2011/10/24/9http://openwall.com/lists/oss-security/2011/10/25/2http://osvdb.org/76594http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin%3Ba=blobdiff%3Bf=lib/functions.php%3Bh=eb160dc9f7d74e563131e21d4c85d7849a0c6638%3Bhp=19fde9974d4e5eb3bfac04bb223ccbefdb98f9a0%3Bhb=76e6dad13ef77c5448b8dfed1a61e4acc7241165%3Bhpb=5d4245f93ae6f065e7535f268e3cd87a23b07744http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Pagehttp://secunia.com/advisories/46551http://secunia.com/advisories/46672http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546http://www.debian.org/security/2011/dsa-2333http://www.exploit-db.com/exploits/18021/http://www.securityfocus.com/bid/50331http://dev.metasploit.com/redmine/issues/5820http://openwall.com/lists/oss-security/2011/10/24/9http://openwall.com/lists/oss-security/2011/10/25/2http://osvdb.org/76594http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin%3Ba=blobdiff%3Bf=lib/functions.php%3Bh=eb160dc9f7d74e563131e21d4c85d7849a0c6638%3Bhp=19fde9974d4e5eb3bfac04bb223ccbefdb98f9a0%3Bhb=76e6dad13ef77c5448b8dfed1a61e4acc7241165%3Bhpb=5d4245f93ae6f065e7535f268e3cd87a23b07744http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Pagehttp://secunia.com/advisories/46551http://secunia.com/advisories/46672http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546http://www.debian.org/security/2011/dsa-2333http://www.exploit-db.com/exploits/18021/http://www.securityfocus.com/bid/50331
2011-11-02
Published
Exploited in the wild