cbcvebase.
CVE-2011-5130
published 2012-08-30

CVE-2011-5130: dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell…

PriorityP261medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
36.55%
98.3th percentile
dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the argv[1] parameter.

Affected

8 ranges
VendorProductVersion rangeFixed in
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms
haudenschiltfamily_connections_cms

Detection & IOCsextracted from sources · hover to see the quote

pathdev/less.php
url/fcms/dev/less.php
commandGET /dev/less.php?argv[1]=|echo fcms_start;<cmd>;echo fcms_end; HTTP/1.1
command|echo <mark>;#
command|echo <start_mark>;<payload>;echo <end_mark>;#
  • Detect GET requests targeting dev/less.php with a pipe character (|) in the argv[1] query parameter, indicating shell metacharacter injection for RCE.
  • Look for the sentinel strings 'fcms_start' and 'fcms_end' in HTTP traffic, used by the public exploit to delimit command output in responses.
  • The Metasploit module uses a check request with '|echo <random_alpha>;#' in argv[1] and looks for the echoed string in the HTTP 200 response body to confirm exploitability.
  • No authentication is required to exploit this vulnerability; any unauthenticated GET request to dev/less.php with a crafted argv[1] parameter should be treated as an attack attempt.
  • The vulnerable code path executes: system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css") where $theme is attacker-controlled via argv[1]/register_globals.
  • ·The vulnerability is only exploitable when the PHP server has register_globals set to On, which allows the HTTP query parameter argv[1] to overwrite the script's $argv[1] variable.
  • ·Affected versions are FCMS 2.5.0 through 2.7.1 only; detections should be scoped to installations within this version range.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.