CVE-2010-4335 - OpenCVE

The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Cakefoundation	Cakephp

Configuration 1 [-]

OR	cpe:2.3:a:cakefoundation:cakephp:1.2.8:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3:dev::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:alpha::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:beta::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc1::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc2::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc3::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc4::::::
	cpe:2.3:a:cakefoundation:cakephp:1.3.1:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3.2:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3.3:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3.4:::::::*
	cpe:2.3:a:cakefoundation:cakephp:1.3.5:::::::*

References

Link	Resource
http://malloc.im/CakePHP-unserialize.txt	Exploit
http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt	Exploit
http://secunia.com/advisories/42211	Vendor Advisory
http://securityreason.com/securityalert/8026
http://www.exploit-db.com/exploits/16011
http://www.osvdb.org/69352
https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2011-01-14T22:00:00

Updated: 2011-01-22T10:00:00

Reserved: 2010-11-30T00:00:00

Link: CVE-2010-4335

JSON object: View

NVD Information

Status : Modified

Published: 2011-01-14T23:00:46.850

Modified: 2011-01-22T06:44:44.190

Link: CVE-2010-4335

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-12-06T00:00:00", "descriptions": [{"lang": "en", "value": "The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-01-22T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb"}, {"name": "16011", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/16011"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt"}, {"name": "69352", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/69352"}, {"name": "8026", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/8026"}, {"tags": ["x_refsource_MISC"], "url": "http://malloc.im/CakePHP-unserialize.txt"}, {"name": "42211", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42211"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2010-4335", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb", "refsource": "CONFIRM", "url": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb"}, {"name": "16011", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/16011"}, {"name": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt", "refsource": "MISC", "url": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt"}, {"name": "69352", "refsource": "OSVDB", "url": "http://www.osvdb.org/69352"}, {"name": "8026", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/8026"}, {"name": "http://malloc.im/CakePHP-unserialize.txt", "refsource": "MISC", "url": "http://malloc.im/CakePHP-unserialize.txt"}, {"name": "42211", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42211"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-4335", "datePublished": "2011-01-14T22:00:00", "dateReserved": "2010-11-30T00:00:00", "dateUpdated": "2011-01-22T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "4EAF987A-B6AE-49BC-9B1F-F91C8BEDE8BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3:dev:*:*:*:*:*:*", "matchCriteriaId": "3FC00F9B-A680-43F9-ABDA-3242D7AC6B3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C65627A5-D154-48F5-8902-D66899ABC206", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:alpha:*:*:*:*:*:*", "matchCriteriaId": "F0D64CF7-9431-410E-B69D-7B2828452739", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:beta:*:*:*:*:*:*", "matchCriteriaId": "BEAAA812-F8F6-48F2-995E-48929D532DB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "3AD6C268-C6DA-4DEE-853D-28E893CDE90E", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D1C5033B-0E35-4270-AEFD-C7E78E546E53", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "1119962A-421C-4F35-BCEE-3AD718F7E077", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "C4E96540-FF61-4EEF-9768-BA4BE9441426", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3FE40BC8-8605-46FD-A6B3-B471623F5C14", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1602F4C6-4596-44B7-A2D7-CAF7F137748E", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "33DA98E6-D097-40F7-B63D-508E0BB593FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "2F002CFD-453B-4E9E-8BC3-9E647EDB0BD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "900DC462-B0B1-4205-B988-9DFC51366861", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files."}, {"lang": "es", "value": "la funci\u00f3n _validatePost en libs/controller/components/security.php en CakePHP v1.3.x hasta la v1.3.5 y v1.2.8 permite a atacantes remotos modificar la cach\u00e9 interna de la aplicaci\u00f3n y ejecutar c\u00f3digo arbitrario a trav\u00e9s de un valor data[_token][fields] debiadamente modificado, el cual es procesado por la funci\u00f3n unserialize, como se ha demostrado mediante la modificaci\u00f3n de la cach\u00e9 file_map para ejecutar archivos locales."}], "id": "CVE-2010-4335", "lastModified": "2011-01-22T06:44:44.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-01-14T23:00:46.850", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://malloc.im/CakePHP-unserialize.txt"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42211"}, {"source": "secalert@redhat.com", "url": "http://securityreason.com/securityalert/8026"}, {"source": "secalert@redhat.com", "url": "http://www.exploit-db.com/exploits/16011"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/69352"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}