CVE-2011-5130
published 2012-08-30CVE-2011-5130: dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell…
PriorityP261medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
36.55%
98.3th percentile
dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the argv[1] parameter.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests targeting dev/less.php with a pipe character (|) in the argv[1] query parameter, indicating shell metacharacter injection for RCE. ↗
- →Look for the sentinel strings 'fcms_start' and 'fcms_end' in HTTP traffic, used by the public exploit to delimit command output in responses. ↗
- →The Metasploit module uses a check request with '|echo <random_alpha>;#' in argv[1] and looks for the echoed string in the HTTP 200 response body to confirm exploitability. ↗
- →No authentication is required to exploit this vulnerability; any unauthenticated GET request to dev/less.php with a crafted argv[1] parameter should be treated as an attack attempt. ↗
- →The vulnerable code path executes: system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css") where $theme is attacker-controlled via argv[1]/register_globals. ↗
- ·The vulnerability is only exploitable when the PHP server has register_globals set to On, which allows the HTTP query parameter argv[1] to overwrite the script's $argv[1] variable. ↗
- ·Affected versions are FCMS 2.5.0 through 2.7.1 only; detections should be scoped to installations within this version range. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)
exploitdb·2011-12-07
CVE-2011-5130 Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)
Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Family Connections less.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
Family Connections 2.7.1. It's in the dev/less.php script and is due
to an insecure use of system(). Authentication isn't required to exploit
the vulnerability but register_globals must be set to On.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me ', # Vulnerability disc
Exploit-DB
Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution
exploitdb·2011-12-04·CVSS 7.5
CVE-2011-5130 [HIGH] Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution
Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution
---
$theme = isset($argv[1]) ? $argv[1] : 'default';
system("clear");
if (file_exists("$dir/themes/$theme/style.css"))
{
echo "\n[ themes/$theme/style.css ] already exists.\n\n";
echo "Overwrite [ y/n ] ? ";
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if (trim($line) != 'y')
{
exit;
}
}
$worked = system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css");
-d OPTIONS
host: target server (ip/hostname)
path: directory path to wordpress
Options:
-p[ip:port]: specify a proxy
Example:
php ".$argv[0]." -t 192.168.1.5 -d /wp/ -p 127.0.0.1:8080
php ".$argv[0]." -t 192.168.1.5 -d /wp/
"); die;
}
error_reporting(7);
ini_set("max_execution_time", 0);
ini_set("default_so
Metasploit
Family Connections less.php Remote Command Execution
metasploit
Family Connections less.php Remote Command Execution
Family Connections less.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system(). Authentication isn't required to exploit the vulnerability but register_globals must be set to On.
No writeups or analysis indexed.
http://osvdb.org/77492http://secunia.com/advisories/47069http://sourceforge.net/apps/trac/fam-connections/ticket/407http://www.exploit-db.com/exploits/18198http://www.exploit-db.com/exploits/18208https://exchange.xforce.ibmcloud.com/vulnerabilities/71618https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/http://osvdb.org/77492http://secunia.com/advisories/47069http://sourceforge.net/apps/trac/fam-connections/ticket/407http://www.exploit-db.com/exploits/18198http://www.exploit-db.com/exploits/18208https://exchange.xforce.ibmcloud.com/vulnerabilities/71618https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/
2012-08-30
Published