CVE-2011-10013
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-14
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nirix | traq | 2.2 |
| nirix | traq | 2.3 |
| nirix | traq | 2.0 |
| nirix | traq | 2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2011-10013 is a critical remote code execution vulnerability in Traq versions 2.0 through 2.3. The issue lies in the admincp/common.php script where the authorization logic is flawed: after detecting a non-admin user, the script redirects them to a login page but does not stop further script execution. This allows unauthenticated attackers to bypass admin authentication and access admin-only functionality. Attackers exploit this by injecting arbitrary PHP code into a plugin hook via a POST request to admincp/plugins.php, which then executes the injected code remotely, effectively allowing full control over the affected server. [1, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on the affected server. This means an attacker can run any commands or scripts with the privileges of the web server, potentially leading to full system compromise, data theft, service disruption, or further attacks within the network. Because no authentication or user interaction is required, the risk is very high and can result in complete loss of confidentiality, integrity, and availability of the system. [1, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by checking for the presence of Traq versions 2.0 through 2.3, especially by requesting the admin login page (e.g., admincp/login.php) and searching for version strings indicating Traq 2.x. Additionally, monitoring for suspicious POST requests to admincp/plugins.php with parameters attempting to create new plugin hooks (e.g., newhook=template_footer) or unusual HTTP headers like CMD or HTTP_CMD carrying base64-encoded payloads can indicate exploitation attempts. A practical check is to send an HTTP request to admincp/login.php and look for Traq version information in the response headers or body. Network IDS/IPS can be configured to detect POST requests to admincp/plugins.php with suspicious parameters or base64-encoded payloads in headers. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Traq to version 2.3.1 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict access to the /admincp/ directory to trusted IP addresses or via VPN to prevent unauthorized access. Additionally, monitor and block suspicious POST requests to admincp/plugins.php that attempt to create new plugin hooks or inject code. Applying web application firewall (WAF) rules to detect and block base64-encoded payloads in HTTP headers such as CMD or HTTP_CMD can also help mitigate exploitation attempts. Finally, consider disabling or removing the plugin system if not needed to reduce attack surface. [1, 4, 5]