Vulnerabilities > CVE-2011-4825 - Code Injection vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

exploit available

metasploit

NVD

Published: 2011-12-15

Updated: 2011-12-15

Summary

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.

Vulnerable Configurations

Part	Description	Count
Application	Phpletter Phpletter Ajax File AND Image Manager 0.5 Phpletter Ajax File AND Image Manager 0.5.5 Phpletter Ajax File AND Image Manager 0.5.7 Phpletter Ajax File AND Image Manager 0.6 Phpletter Ajax File AND Image Manager 0.6.12 Phpletter Ajax File AND Image Manager 0.7.8 Phpletter Ajax File AND Image Manager 0.7.10 Phpletter Ajax File AND Image Manager 0.8 Phpletter Ajax File AND Image Manager 0.8.8 Phpletter Ajax File AND Image Manager 0.8.9 Phpletter Ajax File AND Image Manager 0.8.24 Phpletter Ajax File AND Image Manager 0.9 Phpletter Ajax File AND Image Manager * Phpletter Ajax File AND Image Manager 1.0	20
Application	Phpmyfaq Phpmyfaq Phpmyfaq 2.6.0 Phpmyfaq Phpmyfaq 2.6.1 Phpmyfaq Phpmyfaq 2.6.2 Phpmyfaq Phpmyfaq 2.6.3 Phpmyfaq Phpmyfaq 2.6.4 Phpmyfaq Phpmyfaq 2.6.5 Phpmyfaq Phpmyfaq 2.6.6 Phpmyfaq Phpmyfaq 2.6.7 Phpmyfaq Phpmyfaq 2.6.8 Phpmyfaq Phpmyfaq 2.6.9 Phpmyfaq Phpmyfaq 2.6.10 Phpmyfaq Phpmyfaq 2.6.11 Phpmyfaq Phpmyfaq 2.6.12 Phpmyfaq Phpmyfaq 2.6.13 Phpmyfaq Phpmyfaq 2.6.14 Phpmyfaq Phpmyfaq 2.6.15 Phpmyfaq Phpmyfaq 2.6.16 Phpmyfaq Phpmyfaq 2.6.17 Phpmyfaq Phpmyfaq 2.6.18 Phpmyfaq Phpmyfaq 2.7.0	20
Application	Tinymce Tinymce Tinymce *	1

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

D2sec

name phpMyFAQ 2.7.0 RCE
url http://www.d2sec.com/exploits/phpmyfaq_2.7.0_rce.html
name Log1 CMS 2.0 RCE
url http://www.d2sec.com/exploits/log1_cms_2.0_rce.html

Exploit-Db

description	aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform
id	EDB-ID:18085
last seen	2016-02-02
modified	2011-11-05
published	2011-11-05
reporter	EgiX
source	https://www.exploit-db.com/download/18085/
title	aidiCMS 3.55 - ajax_create_folder.php Remote Code Execution

description	Log1 CMS writeInfo() PHP Code Injection. CVE-2011-4825. Webapps exploit for php platform
id	EDB-ID:18975
last seen	2016-02-02
modified	2012-06-03
published	2012-06-03
reporter	metasploit
source	https://www.exploit-db.com/download/18975/
title	Log1 CMS writeInfo PHP Code Injection

description	Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform
id	EDB-ID:18151
last seen	2016-02-02
modified	2011-11-24
published	2011-11-24
reporter	Adel SBM
source	https://www.exploit-db.com/download/18151/
title	Log1CMS 2.0 - ajax_create_folder.php Remote Code Execution

description	Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform
id	EDB-ID:18083
last seen	2016-02-02
modified	2011-11-05
published	2011-11-05
reporter	EgiX
source	https://www.exploit-db.com/download/18083/
title	Zenphoto <= 1.4.1.4 - ajax_create_folder.php Remote Code Execution

description	Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability. CVE-2011-4825. Webapps exploit for php platform
file	exploits/php/webapps/18075.txt
id	EDB-ID:18075
last seen	2016-02-02
modified	2011-11-04
platform	php
port
published	2011-11-04
reporter	EgiX
source	https://www.exploit-db.com/download/18075/
title	Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability
type	webapps

description	phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform
id	EDB-ID:18084
last seen	2016-02-02
modified	2011-11-05
published	2011-11-05
reporter	EgiX
source	https://www.exploit-db.com/download/18084/
title	phpMyFAQ <= 2.7.0 ajax_create_folder.php Remote Code Execution

Metasploit

description	This module exploits the "Ajax File and Image Manager" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.
id	MSF:EXPLOIT/MULTI/HTTP/LOG1CMS_AJAX_CREATE_FOLDER
last seen	2020-06-04
modified	2017-07-24
published	2012-06-02
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4825
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/log1cms_ajax_create_folder.rb
title	Log1 CMS writeInfo() PHP Code Injection

Packetstorm

data source	https://packetstormsecurity.com/files/download/113226/log1cms_ajax_create_folder.rb.txt
id	PACKETSTORM:113226
last seen	2016-12-05
published	2012-06-03
reporter	EgiX
source	https://packetstormsecurity.com/files/113226/Log1-CMS-writeInfo-PHP-Code-Injection.html
title	Log1 CMS writeInfo() PHP Code Injection

name	phpMyFAQ 2.7.0 RCE
url	http://www.d2sec.com/exploits/phpmyfaq_2.7.0_rce.html

name	Log1 CMS 2.0 RCE
url	http://www.d2sec.com/exploits/log1_cms_2.0_rce.html

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

D2sec

Exploit-Db

Metasploit

Packetstorm

References