FKIE_CVE-2010-4335

Vulnerability from fkie_nvd - Published: 2011-01-14 23:00 - Updated: 2025-04-11 00:51
Severity ?
Summary
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
References
secalert@redhat.comhttp://malloc.im/CakePHP-unserialize.txtExploit
secalert@redhat.comhttp://packetstormsecurity.org/files/view/95847/burnedcake.py.txtExploit
secalert@redhat.comhttp://secunia.com/advisories/42211Vendor Advisory
secalert@redhat.comhttp://securityreason.com/securityalert/8026
secalert@redhat.comhttp://www.exploit-db.com/exploits/16011
secalert@redhat.comhttp://www.osvdb.org/69352
secalert@redhat.comhttps://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cbPatch
af854a3a-2127-422b-91ae-364da2661108http://malloc.im/CakePHP-unserialize.txtExploit
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.org/files/view/95847/burnedcake.py.txtExploit
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/42211Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://securityreason.com/securityalert/8026
af854a3a-2127-422b-91ae-364da2661108http://www.exploit-db.com/exploits/16011
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/69352
af854a3a-2127-422b-91ae-364da2661108https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cbPatch
Impacted products
Vendor Product Version
cakefoundation cakephp 1.3.0
cakephp cakephp 1.2.8
cakephp cakephp 1.3
cakephp cakephp 1.3.0
cakephp cakephp 1.3.0
cakephp cakephp 1.3.0
cakephp cakephp 1.3.0
cakephp cakephp 1.3.0
cakephp cakephp 1.3.0
cakephp cakephp 1.3.1
cakephp cakephp 1.3.2
cakephp cakephp 1.3.3
cakephp cakephp 1.3.4
cakephp cakephp 1.3.5
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cakefoundation:cakephp:1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C65627A5-D154-48F5-8902-D66899ABC206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A584BF0-397D-44C7-9F81-CC23EFBAA70B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3:dev:*:*:*:*:*:*",
              "matchCriteriaId": "7A61C888-8403-4C49-A2A9-8B4AB28518D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "9003AC05-6B40-4362-B808-B05FFF4E7BB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DDCBE15B-B9CD-462A-9A60-A67B298B6416",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4520A728-DD2E-4FFA-8AA7-1A411336C7FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "E1537D8B-9A98-4825-9A2D-1834B01C3E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "33E9CE1A-7B0E-4171-A525-820378DDB9AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "40A4B932-BC79-4EBD-8582-3F35BCE566FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3914F5C9-25F0-4204-A817-5192326B37E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9C75332-BD3C-477E-9FEA-4BF1273DA0C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D94386AB-8C14-492A-9E67-C827E21440B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "C66D697F-CEE2-43C9-B292-359CD77EC775",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cakephp:cakephp:1.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFC5BFAB-16F9-4B80-9BF0-31DE89FD3985",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files."
    },
    {
      "lang": "es",
      "value": "la funci\u00f3n _validatePost en libs/controller/components/security.php en CakePHP v1.3.x hasta la v1.3.5 y v1.2.8 permite a atacantes remotos modificar la cach\u00e9 interna de la aplicaci\u00f3n y ejecutar c\u00f3digo arbitrario a trav\u00e9s de un valor data[_token][fields] debiadamente modificado, el cual es procesado por la funci\u00f3n unserialize, como se ha demostrado mediante la modificaci\u00f3n de la cach\u00e9 file_map para ejecutar archivos locales."
    }
  ],
  "id": "CVE-2010-4335",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-01-14T23:00:46.850",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "http://malloc.im/CakePHP-unserialize.txt"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42211"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://securityreason.com/securityalert/8026"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.exploit-db.com/exploits/16011"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.osvdb.org/69352"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://malloc.im/CakePHP-unserialize.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42211"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/8026"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.exploit-db.com/exploits/16011"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/69352"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.