cbcvebase.
CVE-2011-4451
published 2012-09-05

CVE-2011-4451: libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the…

PriorityP337medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
13.48%
96.0th percentile
libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter

Affected

2 ranges
VendorProductVersion rangeFixed in
wikkawikiwikkawiki
wikkawikiwikkawiki

Detection & IOCsextracted from sources · hover to see the quote

path./spamlog.txt.php
path/libs/Wakka.class.php
url/wikka/test/addcomment
commandbody=foo&submit=Add+Comment
  • Monitor HTTP requests to addcomment endpoints for PHP code patterns (e.g., <?php) in the User-Agent header, which is the injection vector for CVE-2011-4451.
  • Alert on POST requests to paths matching */addcomment where the User-Agent header contains PHP tags or function calls.
  • Detect exploitation attempts by monitoring for HTTP requests to the spamlog file (spamlog.txt.php) after a comment submission, which would indicate an attacker is triggering the injected payload.
  • The Metasploit module triggers spam protection by generating 10 fake URLs in a comment body (default max_new_comment_urls is 6); detect comment POST bodies containing an unusually high number of URLs (>6) as a trigger indicator.
  • Monitor filesystem writes to spamlog.txt.php; any write to this file from a web process is suspicious and may indicate active exploitation.
  • ·The vulnerability is only exploitable when the 'spam_logging' option is explicitly enabled in WikkaWiki configuration. Installations with spam_logging disabled are not affected.
  • ·The vendor disputes the RCE severity, claiming the spamlog_path file is never rendered by the PHP interpreter. Verify whether the spamlog file has a .php extension in your deployment before assessing exploitability.
  • ·The spamlog_path is configurable; if an administrator has changed it to a non-.php extension, direct PHP execution via web request is not possible, though log injection still occurs.
  • ·Successful exploitation of CVE-2011-4451 may be chained with the SQL injection (CVE-2011-4453) session hijacking attack to obtain an authenticated session cookie before triggering the spam log injection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.