CVE-2011-10009
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-14
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awen | s40_cms | 0.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2011-10009 is a Local File Inclusion (LFI) vulnerability in S40 CMS version 0.4.2. It occurs because the 'p' parameter in the index.php page handler is not properly sanitized. This parameter is used directly in a PHP require() function without validation, allowing attackers to manipulate the file path and include arbitrary local files on the server. Attackers exploit this by appending directory traversal sequences and a null byte (%00) to bypass file extension checks, enabling them to access sensitive files outside the web root remotely without authentication. [1, 4]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely access and read arbitrary files on the server running S40 CMS 0.4.2 without any authentication. This can lead to unauthorized disclosure of sensitive information such as system files (e.g., /etc/passwd), configuration files, or other data stored on the server. The attacker can exploit this to gather information for further attacks or compromise the system's confidentiality and security. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP GET requests to the vulnerable S40 CMS index.php page, manipulating the 'p' parameter to include directory traversal sequences and a null byte (%00) to attempt to access sensitive files like /etc/passwd. For example, a test request could be: curl "http://<target>/s40/index.php/?p=/../../../../../../../etc/passwd%00" If the response contains contents of the targeted file (e.g., /etc/passwd), the system is vulnerable. Additionally, the Metasploit auxiliary module (s40_traversal.rb) can be used to automate detection by specifying the target URI, traversal depth, and file to retrieve. This module sends crafted requests and analyzes responses to confirm vulnerability. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict access to the vulnerable S40 CMS application, for example by firewall rules or network segmentation. 2. Disable or remove the vulnerable S40 CMS version 0.4.2 if possible, since it is no longer supported. 3. Apply input validation and sanitization on the 'p' parameter to prevent directory traversal and null byte injection. 4. If source code modification is possible, ensure that user input is strictly validated or use whitelisting to allow only safe file paths. 5. Monitor and block suspicious requests containing traversal sequences and null bytes. 6. Consider using web application firewalls (WAF) to detect and block exploitation attempts. Since no patch is available, removing or restricting the vulnerable application is critical. [2]