cbcvebase.
CVE-2011-4075
published 2011-11-02

CVE-2011-4075: The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter…

PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.89%
98.8th percentile
The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianphpldapadmin< phpldapadmin 1.2.0.5-2.1 (bookworm)phpldapadmin 1.2.0.5-2.1 (bookworm)
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin
phpldapadmin_projectphpldapadmin>= 0 < 1.2.0.5-2.11.2.0.5-2.1
phpldapadmin_projectphpldapadmin>= 0 < 1.2.0.5-2.11.2.0.5-2.1
phpldapadmin_projectphpldapadmin>= 0 < 1.2.0.5-2.11.2.0.5-2.1

Detection & IOCsextracted from sources · hover to see the quote

pathlib/functions.php
pathcmd.php
commandcmd=query_engine&query=none&search=1&orderby=foo));}}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;/*
commandcmd=query_engine&query=none&search=1&orderby=<RAND>));}}error_reporting(0);eval(base64_decode($_SERVER[HTTP_<HEADER>]));die;/*
  • Detect POST requests to cmd.php containing 'cmd=query_engine' with an 'orderby' parameter value containing PHP injection patterns such as '}}error_reporting' or 'passthru' or 'eval(base64_decode'
  • Look for HTTP requests to cmd.php with POST body containing 'cmd=query_engine' and 'orderby' values containing closing braces/parentheses followed by PHP function calls (e.g. '}}', 'passthru', 'eval', 'base64_decode'), indicating create_function() injection
  • Fingerprint vulnerable phpLDAPadmin versions by matching the response body against the pattern /phpLDAPadmin \(1\.2\.[0|1]\.\d/i in HTTP responses
  • ·The exploit requires a valid session cookie obtained from the target phpLDAPadmin instance before the injection payload can be delivered; unauthenticated exploitation is not possible without first harvesting a session ID.
  • ·The fix uses a whitelist regex on the orderby/sortby parameter before passing it to create_function(); detection rules targeting the raw injection string may not fire against patched versions (1.2.2+).
  • ·The Metasploit module randomises both the injected function name prefix and the custom HTTP header name carrying the payload, so static string signatures on those values will not reliably detect all exploit attempts.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.