CVE-2011-5148
published 2012-08-31CVE-2011-5148: Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to…
PriorityP272medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.88%
91.0th percentile
Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to execute arbitrary code by uploading a file with a (1) php5, (2) php6, or (3) double (e.g. .php.jpg) extension, then accessing it via a direct request to the file in images/, as exploited in the wild in January 2012.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wasen | mod_simplefileupload | <= 1.3 | — |
| wasen | mod_simplefileupload | — | — |
| wasen | mod_simplefileupload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2;)snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2;)
- →Attacker uploads a file with a double extension (e.g. .php.jpg) or php5/php6 extension to bypass the module's blacklist, then directly requests the file under the images/ directory to achieve RCE. ↗
- →POST requests containing a multipart form-data upload with a PHP-family extension (php, php5, php6, phtml, phar, etc.) disguised with Content-Type image/gif and a base64_decode payload body are strong indicators of exploitation.
- →GET requests containing the URI string 'mod_simplefileuploadv1.3' indicate interaction with the vulnerable Joomla module and should be investigated for follow-on file access.
- →The exploit was actively used in the wild starting January 2012; any web shell files with double extensions (e.g. .php.jpg) or .php5/.php6 extensions found under the Joomla images/ directory should be treated as compromised artifacts. ↗
- ·The ET rule sid:2034850 targets outbound traffic ($HOME_NET -> $EXTERNAL_NET), which may miss attacker-controlled infrastructure on the internal network or inbound-only monitoring setups; consider also alerting on inbound POST uploads to Joomla endpoints.
- ·The blacklist bypass covers php5, php6, and double extensions, but the PCRE in the Snort rule also covers phps, pht, phtm, phtml, shtml, htaccess, phar, and inc — ensure your upload filter blocks all of these variants, not just the three named in the CVE description.
- ·The vulnerability affects mod_simplefileuploadv1.3 versions before 1.3.5 only; confirm the installed module version before applying detection rules to avoid false positives on patched instances. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x22x-5jv5-w996: Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1
ghsa_unreviewed·2022-05-17
CVE-2011-5148 [MEDIUM] GHSA-x22x-5jv5-w996: Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1
Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to execute arbitrary code by uploading a file with a (1) php5, (2) php6, or (3) double (e.g. .php.jpg) extension, then accessing it via a direct request to the file in images/, as exploited in the wild in January 2012.
VulnCheck
Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! Remote Code Execution
vulncheck·2011·CVSS 6.8
CVE-2011-5148 [MEDIUM] Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! Remote Code Execution
Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! Remote Code Execution
Multiple incomplete blacklist vulnerabilities in the Simple File Upload (mod_simplefileuploadv1.3) module before 1.3.5 for Joomla! allow remote attackers to execute arbitrary code by uploading a file with a (1) php5, (2) php6, or (3) double (e.g. .php.jpg) extension, then accessing it via a direct request to the file in images/, as exploited in the wild in January 2012.
Affected: wasen mod_simplefileupload
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2011-5148; https://www.cve.org/CVERecord?id=CVE-2011-5148
Suricata
ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)
suricata·2021-12-30·CVSS 6.8
CVE-2011-5148 [MEDIUM] ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)
ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, confidence Medium, signature_severi
Suricata
ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)
suricata·2021-12-30·CVSS 6.8
CVE-2011-5148 [MEDIUM] ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)
ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mi
No writeups or analysis indexed.
http://docs.joomla.org/Vulnerable_Extensions_List#Simple_File_Upload_1.3http://secunia.com/advisories/47370http://wasen.net/index.php?option=com_content&view=article&id=87&Itemid=59http://www.exploit-db.com/exploits/18287http://www.osvdb.org/78122http://www.securityfocus.com/bid/51214http://www.securityfocus.com/bid/51234https://exchange.xforce.ibmcloud.com/vulnerabilities/72023http://docs.joomla.org/Vulnerable_Extensions_List#Simple_File_Upload_1.3http://secunia.com/advisories/47370http://wasen.net/index.php?option=com_content&view=article&id=87&Itemid=59http://www.exploit-db.com/exploits/18287http://www.osvdb.org/78122http://www.securityfocus.com/bid/51214http://www.securityfocus.com/bid/51234https://exchange.xforce.ibmcloud.com/vulnerabilities/72023
2012-08-31
Published
Exploited in the wild