------------------------------------------------------------------- PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Vulnerability ------------------------------------------------------------------- author...............: Egidio Romano aka EgiX mail.................: n0b0d13s[at]gmail[dot]com software link........: http://www.pmwiki.org/ affected versions....: from 2.0.0 to 2.2.34 [-] vulnerable code in PageListSort() function defined into /scripts/pagelist.php 452. $code = ''; 453. foreach($opt['=order'] as $o => $r) { 454. if (@$PageListSortCmp[$o]) 455. $code .= "\$c = {$PageListSortCmp[$o]}; "; 456. else 457. $code .= "\$c = @strcasecmp(\$PCache[\$x]['$o'],\$PCache[\$y]['$o']); "; 458. $code .= "if (\$c) return $r\$c;\n"; 459. } 460. StopWatch('PageListSort sort'); 461. if ($code) 462. uasort($list, 463. create_function('$x,$y', "global \$PCache; $code return 0;")); 464. StopWatch('PageListSort end'); Input passed through 'order' parameter of 'pagelist' directive isn't properly sanitized before being used in a call to create_function() at line 463. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability might require authentication if the wiki isn't public writable. [-] Disclosure timeline: [09/11/2011] - Vulnerability discovered [11/11/2011] - Issue reported to http://www.pmwiki.org/wiki/PITS/01271 [11/11/2011] - Version 2.2.35 released: http://www.pmwiki.org/wiki/PmWiki/ChangeLog#v2235 [12/11/2011] - CVE number requested [15/11/2011] - Assigned CVE-2011-4453 [23/11/2011] - Public disclosure [-] Proof of concept: http://www.exploit-db.com/exploits/18149
