cbcvebase.
CVE-2011-5148
published 2012-08-31

CVE-2011-5148: Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to…

PriorityP272medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.88%
91.0th percentile
Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to execute arbitrary code by uploading a file with a (1) php5, (2) php6, or (3) double (e.g. .php.jpg) extension, then accessing it via a direct request to the file in images/, as exploited in the wild in January 2012.

Affected

3 ranges
VendorProductVersion rangeFixed in
wasenmod_simplefileupload<= 1.3
wasenmod_simplefileupload
wasenmod_simplefileupload

Detection & IOCsextracted from sources · hover to see the quote

pathimages/
urlhttps://www.exploit-db.com/exploits/18287
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2;)
  • Attacker uploads a file with a double extension (e.g. .php.jpg) or php5/php6 extension to bypass the module's blacklist, then directly requests the file under the images/ directory to achieve RCE.
  • POST requests containing a multipart form-data upload with a PHP-family extension (php, php5, php6, phtml, phar, etc.) disguised with Content-Type image/gif and a base64_decode payload body are strong indicators of exploitation.
  • GET requests containing the URI string 'mod_simplefileuploadv1.3' indicate interaction with the vulnerable Joomla module and should be investigated for follow-on file access.
  • The exploit was actively used in the wild starting January 2012; any web shell files with double extensions (e.g. .php.jpg) or .php5/.php6 extensions found under the Joomla images/ directory should be treated as compromised artifacts.
  • ·The ET rule sid:2034850 targets outbound traffic ($HOME_NET -> $EXTERNAL_NET), which may miss attacker-controlled infrastructure on the internal network or inbound-only monitoring setups; consider also alerting on inbound POST uploads to Joomla endpoints.
  • ·The blacklist bypass covers php5, php6, and double extensions, but the PCRE in the Snort rule also covers phps, pht, phtm, phtml, shtml, htaccess, phar, and inc — ensure your upload filter blocks all of these variants, not just the three named in the CVE description.
  • ·The vulnerability affects mod_simplefileuploadv1.3 versions before 1.3.5 only; confirm the installed module version before applying detection rules to avoid false positives on patched instances.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.