CVE-2011-4451
published 2012-09-05CVE-2011-4451: libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the…
PriorityP337medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
13.48%
96.0th percentile
libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wikkawiki | wikkawiki | — | — |
| wikkawiki | wikkawiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to addcomment endpoints for PHP code patterns (e.g., <?php) in the User-Agent header, which is the injection vector for CVE-2011-4451. ↗
- →Alert on POST requests to paths matching */addcomment where the User-Agent header contains PHP tags or function calls. ↗
- →Detect exploitation attempts by monitoring for HTTP requests to the spamlog file (spamlog.txt.php) after a comment submission, which would indicate an attacker is triggering the injected payload. ↗
- →The Metasploit module triggers spam protection by generating 10 fake URLs in a comment body (default max_new_comment_urls is 6); detect comment POST bodies containing an unusually high number of URLs (>6) as a trigger indicator. ↗
- →Monitor filesystem writes to spamlog.txt.php; any write to this file from a web process is suspicious and may indicate active exploitation. ↗
- ·The vulnerability is only exploitable when the 'spam_logging' option is explicitly enabled in WikkaWiki configuration. Installations with spam_logging disabled are not affected. ↗
- ·The vendor disputes the RCE severity, claiming the spamlog_path file is never rendered by the PHP interpreter. Verify whether the spamlog file has a .php extension in your deployment before assessing exploitability. ↗
- ·The spamlog_path is configurable; if an administrator has changed it to a non-.php extension, direct PHP execution via web request is not possible, though log injection still occurs. ↗
- ·Successful exploitation of CVE-2011-4451 may be chained with the SQL injection (CVE-2011-4453) session hijacking attack to obtain an authenticated session cookie before triggering the spam log injection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WikkaWiki 1.3.2 - Multiple Vulnerabilities
exploitdb·2011-11-30·CVSS 7.5
CVE-2011-4452 [HIGH] WikkaWiki 1.3.2 - Multiple Vulnerabilities
WikkaWiki 1.3.2 - Multiple Vulnerabilities
---
WikkaWiki Query("
142. UPDATE ".$this->GetConfigValue('table_prefix')."users
143. SET email = '".mysql_real_escape_string($email)."',
144. doubleclickedit = '".mysql_real_escape_string($doubleclickedit)."',
145. show_comments = '".mysql_real_escape_string($show_comments)."',
146. default_comment_display = '".$default_comment_display."',
147. revisioncount = ".$revisioncount.",
148. changescount = ".$changescount.",
149. theme = '".mysql_real_escape_string($usertheme)."'
150. WHERE name = '".$user['name']."'
151. LIMIT 1"
152. );
When handling 'update' action, 'default_comment_display' is the only parameter that isn't sanitized with
mysql_real_escape_string(), this can be exploited to inject arbitrary SQL code. Because of this is a multiple
Metasploit
WikkaWiki 1.3.2 Spam Logging PHP Injection
metasploit
WikkaWiki 1.3.2 Spam Logging PHP Injection
WikkaWiki 1.3.2 Spam Logging PHP Injection
This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'.
2012-09-05
Published